Re: [http-state] draft-ietf-httpstate-cookie-05 posted
"Paul E. Jones" <paulej@packetizer.com> Mon, 15 March 2010 23:52 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8FD933A63C9 for <http-state@core3.amsl.com>; Mon, 15 Mar 2010 16:52:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.339
X-Spam-Level:
X-Spam-Status: No, score=-2.339 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C-3aldzjTqii for <http-state@core3.amsl.com>; Mon, 15 Mar 2010 16:52:34 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by core3.amsl.com (Postfix) with ESMTP id F09063A66B4 for <http-state@ietf.org>; Mon, 15 Mar 2010 16:52:28 -0700 (PDT)
Received: from berlin.arid.us (rrcs-98-101-146-183.midsouth.biz.rr.com [98.101.146.183]) (authenticated bits=0) by dublin.packetizer.com (8.14.2/8.14.2) with ESMTP id o2FNqMVf014712 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 15 Mar 2010 19:52:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1268697148; bh=L1PCk+exMs0XXf4bA/dUEXxmBF9lHbJBJNLHHvScvv0=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=BrAozrv+B5xxCxJ9viY5HqWdsej9E2QY2jGfX7wvAb9u8xiGdnS48/bqe7C9/Y4s4 CEtRW4d/r7AtifVdP99OhVrN0CMmRMFI6mb7/NzjReHTabpcnUWvpS8y7oqIdmGsV0 ibq9nyStSvsz2Harsffz9ur/OkF9f3uFXHjquf8Y=
Received: from sydney (sydney.arid.us [192.168.1.20]) (authenticated bits=0) by berlin.arid.us (8.14.2/8.14.2) with ESMTP id o2FNqJPP016474 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 15 Mar 2010 19:52:20 -0400
From: "Paul E. Jones" <paulej@packetizer.com>
To: 'Adam Barth' <ietf@adambarth.com>
References: <5c4444771003071050r3475798co95cc192d1f2e8190@mail.gmail.com> <op.u9dpzpdoqrq7tp@acorna> <5c4444771003101823u25842652o33b49b2be81f4cfc@mail.gmail.com> <alpine.DEB.2.00.1003112201360.25452@tvnag.unkk.fr> <op.u9feulgkqrq7tp@acorna> <009401cac476$eb8c83c0$c2a58b40$@com> <5c4444771003151240h61a87c3fp9a1649d1163111ce@mail.gmail.com> <009a01cac489$47f0fda0$d7d2f8e0$@com> <5c4444771003151510n2264a33ct26f627a11b202b16@mail.gmail.com>
In-Reply-To: <5c4444771003151510n2264a33ct26f627a11b202b16@mail.gmail.com>
Date: Mon, 15 Mar 2010 19:52:18 -0400
Message-ID: <00a901cac49a$8cab1370$a6013a50$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Content-language: en-us
Thread-index: AcrEkBy95zJCKaOQSYGbt8+NbKy7EQABkbjQ
Cc: 'Daniel Stenberg' <daniel@haxx.se>, 'http-state' <http-state@ietf.org>
Subject: Re: [http-state] draft-ietf-httpstate-cookie-05 posted
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2010 23:52:35 -0000
Adam, > > If a UA today would do something strange, the UA needs to be fixed. > > The spec already requires UAs to handle this case. As I said above, > this language is in the spec as advice to help servers deal with > existing UAs that do not comply with the spec. By definition, the UAs > we're concerened about here cannot be fixed. But, are there UAs that truly have a problem with the cookie expiration time? If so, this is a bug and we should not change the protocol (which this recommendation does, in effect) due to such an isolated bug. Perhaps it might be noteworthy to have in a blog somewhere that browser X has this limitation, but it does not seem appropriate for the standard, because I would not want to encourage application server developers to impose some artificial limit like this. > > I'm concerned with inserting language that requires behavior to try > to overcome > > issues with user agents. > > That's how the web works. I don't understand what you mean by this statement. > > Do such issues exist in practice? If so, we ought to fix the > browser. > > I haven't tested browsers, but I do know of these sorts of issues > occurring in HTTP caching headers, for example in IE6. While IE6 still clings to corporate walls, me, you, and everybody -- including Microsoft -- agrees that it's long past time for this browser release to disappear. And, I believe the corporate world has received that message and I am seeing a decline in IE6 usage. This specification will provide guidance for years (perhaps decades), so we ought not force server application developers to consider (for too long) such interop issues. This is but 1 of many, many things people have to deal with for IE6 -- if it is even a problem at all. I would have guessed that MS would have changed any future date in 0x7FFFFFFF if they do use time_t. And, that's OK. > > Also consider that it's not the web server that will generate > cookies, but > > many thousands of application developers will create cookies and > specify > > expiration dates. There are just a handful of browser vendors. > > So? There will be thousands of web developers who do not look at this spec. I expect every browser vendor will have a team that reads this spec. With just a few browser vendors and everybody reading the spec and understanding that dates might be years like 5243, then I would expect a greater chance of handling the date in some "sane" manner. And, that "sane" manner might be to not use a 32-bit time_t. > > When one of these thousands of app developers passes an expiration > date of > > 2050 over the wire and a browser breaks, do we blame the application > > developer who composed a proper date or the browser vendor who didn't > give > > the date reasonable treatment? This language suggests we blame the > app > > developer, but I don't think that's where blame should be placed. > > I'm not very interested in the blame game. The spec requires UAs to > handle these far-future dates in a reasonable way. The spec also > recommends servers avoid using these dates because of interoperability > issues. If we find a case where the server is using such a date and > the UA is having trouble processing it, I'd recommend that both the > server and the UA change. And both might change. Application developers, as I mentioned, already work around all kinds of UA inconsistencies. Even so, the text provides guidance to web server developers to NOT use dates beyond 2036 (which I assume you'll change to 2038) to maximize compatibility. This is like a stamp of approval for UAs to not support longer dates. I'd be O with something like: It should be noted that some older user agents that utilize a 32-bit signed time_t data type to store the cookie expiration time might not properly support dates much beyond 2037. If support of such legacy user agents is important, application developers should take care to use sane-cookie-dates before 2038. Perhaps the word "legacy" is too strong and could be replaced with "older". But, I think that captures your intent to provide caution, but also highlights the fact that it's not desirable for UAs to have this limitation. Paul
- [http-state] draft-ietf-httpstate-cookie-05 posted Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Yngve Nysaeter Pettersen
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Daniel Stenberg
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Daniel Stenberg
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Yngve Nysaeter Pettersen
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Daniel Stenberg
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Julian Reschke
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Julian Reschke
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… David Morris
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Paul E. Jones
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Paul E. Jones
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Daniel Stenberg
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Daniel Stenberg
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Paul E. Jones
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Daniel Stenberg
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Paul E. Jones
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Paul E. Jones
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Yngve Nysaeter Pettersen
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Paul E. Jones
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Adam Barth
- Re: [http-state] draft-ietf-httpstate-cookie-05 p… Dan Witte