Re: [http-state] consensus call: cookie server conformance

Daniel Stenberg <daniel@haxx.se> Sat, 29 January 2011 22:10 UTC

Return-Path: <daniel@haxx.se>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 874923A6890 for <http-state@core3.amsl.com>; Sat, 29 Jan 2011 14:10:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.916
X-Spam-Level:
X-Spam-Status: No, score=-3.916 tagged_above=-999 required=5 tests=[AWL=0.333, BAYES_00=-2.599, GB_I_LETTER=-2, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pepeZS42GmAN for <http-state@core3.amsl.com>; Sat, 29 Jan 2011 14:10:11 -0800 (PST)
Received: from giant.haxx.se (giant.haxx.se [80.67.6.50]) by core3.amsl.com (Postfix) with ESMTP id 3B30B3A6886 for <http-state@ietf.org>; Sat, 29 Jan 2011 14:10:11 -0800 (PST)
Received: from giant.haxx.se (giant.haxx.se [80.67.6.50]) by giant.haxx.se (8.14.3/8.14.3/Debian-9.1) with ESMTP id p0TMDMCq002064; Sat, 29 Jan 2011 23:13:22 +0100
Date: Sat, 29 Jan 2011 23:13:22 +0100 (CET)
From: Daniel Stenberg <daniel@haxx.se>
X-X-Sender: dast@giant.haxx.se
To: Adam Barth <ietf@adambarth.com>
In-Reply-To: <AANLkTin1kyVmqAObQAMobf8d97jQjqtP7Ldsh_=s0OTL@mail.gmail.com>
Message-ID: <alpine.DEB.2.00.1101292242340.1561@tvnag.unkk.fr>
References: <4D41FA83.5040302@KingsMountain.com> <4D433C9A.7010203@gmail.com> <alpine.DEB.2.00.1101291735580.10943@tvnag.unkk.fr> <AANLkTin1kyVmqAObQAMobf8d97jQjqtP7Ldsh_=s0OTL@mail.gmail.com>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: IETF HTTP State WG <http-state@ietf.org>
Subject: Re: [http-state] consensus call: cookie server conformance
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jan 2011 22:10:12 -0000

On Sat, 29 Jan 2011, Adam Barth wrote:

>> I hadn't really considered these details about 'token' there and I agree
>> that it seems a bit too strict.
>
> That rule comes from RFC 2109 (with the bogus parts of the RFC 2109 
> cookie-value syntax removed).  It's certainly stricter than we need. 
> Something like allowing base64 sounds reasonable to me.

As a little comparison, my parser (that seems to work with a vast majority of 
all sites) simply allows anything except ; and = in a cookie name, and 
everything except ; and \r and \n in cookie contents.

Of course that doesn't really say that servers will use all those letters, 
only that a receiving end really has little reason to make it more strict than 
this.

-- 

  / daniel.haxx.se