Re: [http-state] draft-ietf-httpstate-cookie-05 posted

"Paul E. Jones" <> Mon, 15 March 2010 23:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8FD933A63C9 for <>; Mon, 15 Mar 2010 16:52:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.339
X-Spam-Status: No, score=-2.339 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C-3aldzjTqii for <>; Mon, 15 Mar 2010 16:52:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id F09063A66B4 for <>; Mon, 15 Mar 2010 16:52:28 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.14.2/8.14.2) with ESMTP id o2FNqMVf014712 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 15 Mar 2010 19:52:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=dublin; t=1268697148; bh=L1PCk+exMs0XXf4bA/dUEXxmBF9lHbJBJNLHHvScvv0=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=BrAozrv+B5xxCxJ9viY5HqWdsej9E2QY2jGfX7wvAb9u8xiGdnS48/bqe7C9/Y4s4 CEtRW4d/r7AtifVdP99OhVrN0CMmRMFI6mb7/NzjReHTabpcnUWvpS8y7oqIdmGsV0 ibq9nyStSvsz2Harsffz9ur/OkF9f3uFXHjquf8Y=
Received: from sydney ( []) (authenticated bits=0) by (8.14.2/8.14.2) with ESMTP id o2FNqJPP016474 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 15 Mar 2010 19:52:20 -0400
From: "Paul E. Jones" <>
To: "'Adam Barth'" <>
References: <> <op.u9dpzpdoqrq7tp@acorna> <> <> <op.u9feulgkqrq7tp@acorna> <009401cac476$eb8c83c0$c2a58b40$@com> <> <009a01cac489$47f0fda0$d7d2f8e0$@com> <>
In-Reply-To: <>
Date: Mon, 15 Mar 2010 19:52:18 -0400
Message-ID: <00a901cac49a$8cab1370$a6013a50$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Content-language: en-us
Thread-index: AcrEkBy95zJCKaOQSYGbt8+NbKy7EQABkbjQ
Cc: 'Daniel Stenberg' <>, 'http-state' <>
Subject: Re: [http-state] draft-ietf-httpstate-cookie-05 posted
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Mar 2010 23:52:35 -0000


> > If a UA today would do something strange, the UA needs to be fixed.
> The spec already requires UAs to handle this case.  As I said above,
> this language is in the spec as advice to help servers deal with
> existing UAs that do not comply with the spec.  By definition, the UAs
> we're concerened about here cannot be fixed.

But, are there UAs that truly have a problem with the cookie expiration
time?  If so, this is a bug and we should not change the protocol (which
this recommendation does, in effect) due to such an isolated bug.  Perhaps
it might be noteworthy to have in a blog somewhere that browser X has this
limitation, but it does not seem appropriate for the standard, because I
would not want to encourage application server developers to impose some
artificial limit like this.
> > I'm concerned with inserting language that requires behavior to try
> to overcome
> > issues with user agents.
> That's how the web works.

I don't understand what you mean by this statement.
> > Do such issues exist in practice?  If so, we ought to fix the
> browser.
> I haven't tested browsers, but I do know of these sorts of issues
> occurring in HTTP caching headers, for example in IE6.

While IE6 still clings to corporate walls, me, you, and everybody --
including Microsoft -- agrees that it's long past time for this browser
release to disappear.  And, I believe the corporate world has received that
message and I am seeing a decline in IE6 usage.  This specification will
provide guidance for years (perhaps decades), so we ought not force server
application developers to consider (for too long) such interop issues.  This
is but 1 of many, many things people have to deal with for IE6 -- if it is
even a problem at all.  I would have guessed that MS would have changed any
future date in 0x7FFFFFFF if they do use time_t.  And, that's OK.
> > Also consider that it's not the web server that will generate
> cookies, but
> > many thousands of application developers will create cookies and
> specify
> > expiration dates.  There are just a handful of browser vendors.
> So?

There will be thousands of web developers who do not look at this spec.  I
expect every browser vendor will have a team that reads this spec.  With
just a few browser vendors and everybody reading the spec and understanding
that dates might be years like 5243, then I would expect a greater chance of
handling the date in some "sane" manner.  And, that "sane" manner might be
to not use a 32-bit time_t. 
> > When one of these thousands of app developers passes an expiration
> date of
> > 2050 over the wire and a browser breaks, do we blame the application
> > developer who composed a proper date or the browser vendor who didn't
> give
> > the date reasonable treatment? This language suggests we blame the
> app
> > developer, but I don't think that's where blame should be placed.
> I'm not very interested in the blame game.  The spec requires UAs to
> handle these far-future dates in a reasonable way.  The spec also
> recommends servers avoid using these dates because of interoperability
> issues.  If we find a case where the server is using such a date and
> the UA is having trouble processing it, I'd recommend that both the
> server and the UA change.

And both might change.  Application developers, as I mentioned, already work
around all kinds of UA inconsistencies.  Even so, the text provides guidance
to web server developers to NOT use dates beyond 2036 (which I assume you'll
change to 2038) to maximize compatibility.  This is like a stamp of approval
for UAs to not support longer dates.

I'd be O with something like:
It should be noted that some older user agents that utilize a 32-bit signed
time_t data type to store the cookie expiration time might not properly
support dates much beyond 2037.  If support of such legacy user agents is
important, application developers should take care to use sane-cookie-dates
before 2038.

Perhaps the word "legacy" is too strong and could be replaced with "older".
But, I think that captures your intent to provide caution, but also
highlights the fact that it's not desirable for UAs to have this limitation.