Re: [http-state] Ticket 5: Cookie ordering

Adam Barth <> Mon, 08 February 2010 17:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CE7983A746E for <>; Mon, 8 Feb 2010 09:00:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.838
X-Spam-Status: No, score=-1.838 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xyOZ5NpPEw1e for <>; Mon, 8 Feb 2010 09:00:07 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4868E3A7467 for <>; Mon, 8 Feb 2010 09:00:05 -0800 (PST)
Received: by pzk3 with SMTP id 3so129438pzk.5 for <>; Mon, 08 Feb 2010 09:01:05 -0800 (PST)
MIME-Version: 1.0
Received: by with SMTP id 33mr966284wfc.275.1265648465317; Mon, 08 Feb 2010 09:01:05 -0800 (PST)
In-Reply-To: <007901caa8de$a283e780$e78bb680$@com>
References: <> <op.u7mkruzjvqd7e2@killashandra.oslo.osa> <> <op.u7nnk8uyvqd7e2@killashandra.oslo.osa> <op.u7tgx5y4vqd7e2@killashandra.oslo.osa> <007901caa8de$a283e780$e78bb680$@com>
From: Adam Barth <>
Date: Mon, 8 Feb 2010 09:00:43 -0800
Message-ID: <>
To: "Paul E. Jones" <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Daniel Stenberg <>, http-state <>
Subject: Re: [http-state] Ticket 5: Cookie ordering
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Feb 2010 17:00:09 -0000

On Mon, Feb 8, 2010 at 8:49 AM, Paul E. Jones <> wrote:
>> My suggestion would be that the spec should recommend ordering an
>> ordering
>> based on on both domain and path (order of preference to be decided),
>> as
>> that will be more predictable for sites using multiple cookies with the
>> same name at various domain and path levels.
> Should we rely on the client to do this?  Your proposal is good, but I'm
> skeptical that I can rely on this as a developer on the server side.

I would recommend against relying on this behavior.  We can explicitly
admonish servers not to rely on this behavior.

> Personally, I'd prefer that the client never send two cookies with the same
> name.  There are two or more cookies in the browser with the same name, I
> would think the browser should only send the cookie with the most precise
> path match.  So, if there is a cookie at / and a cookie at /foo, and the
> user is accessing /foo, only the cookie for that path would be provided.  Is
> there a good reason to send multiple cookies with the same name?

We have to send multiple cookies with the same name because that's
what user agents do today.  We're not permitted to alter the syntax of
the protocol in Phase 1.  In Phase 2, these sorts of changes will be
on the table.