- From: David W. Morris <dwm@xpasc.com>
- Date: Mon, 24 Feb 1997 14:04:02 -0800 (PST)
- To: Dave Kristol <dmk@research.bell-labs.com>
- Cc: http-wg@cuckoo.hpl.hp.com
On Mon, 24 Feb 1997, Dave Kristol wrote:
> "David W. Morris" <dwm@xpasc.com> wrote on Fri, 21 Feb 1997 20:03:02 -0800 (PST):
> > [among other things...]
>
> > NOW given that we seem to need a new header for the new cookie format,
> > could we PLEASE add the ability to mark cookies as both expiring AND NEVER
> > stored on disk? In that case, the cookie expires the earlier of
> > expiration time or when the client shutsdown.
>
> While I have no objections to this idea, it's the first time I can
> remember its being expressed here. Did I miss it?
No, I believe you and I discussed the concept briefly at the last IETF but
I believe we concluded it was a future change because of timing and
compatibility concerns between original and 'new' cookies. I brough it up
now because it looked like a new header was needed for setcookie to
resolve other issues so perhaps there was a window of opportunity here.
>
> Want to suggest a syntax?
sure ...
add a line to the definition of 'cookie-av':
| "Nopersist"
defined as:
Nopersist
Optional. The Nopersist attribute requires that the cookie never be
retained beyond the lifetime of the current executing instance of
the user agent. Nopersist is the default when the Max-age attribute
is not specified. When Nopersist and Max-age is specified, the
cookie's lifetime should be the lesser of the two requirements.
I have no particular affinity for "Nopersist" ... another attribute
name would be fine. I didn't include the "don't write to disk" phrase
because the "never be retained" requirement is difficult to meet in the
face of a system failure and restart and in the end my concern is not
security of the data but rather a consistent state model for the www
application.
Dave Morris
Received on Monday, 24 February 1997 14:09:33 UTC