W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: new cookie draft

From: Dave Kristol <dmk@bell-labs.com>
Date: Fri, 21 Mar 1997 11:56:18 -0500
Message-Id: <3332BDB2.2C67412E@bell-labs.com>
To: Ross Patterson <Ross_Patterson@ns.reston.vmd.sterling.com>
Cc: http-wg@cuckoo.hpl.hp.com
Ross Patterson wrote:
> 
> Yaron Goland <yarong@microsoft.com> writes:
> 
> [about ports...]

There seem to be two contradictory threads going on here.  On the one hand,
some folks want to be able to specify the port, to restrict where cookies
go.  On the other, folks want it to be possible to send the same cookie to
multiple ports on the same server.  And we have to remember the port 80
(http) vs. port 443 (https) problem, of sending a cookie in both a secure
and an insecure connection.

Another factor is that the same cookie can be sent to multiple domain
names.  Is the port transitive?

I oppose the idea of changing the Domain= syntax, for compatibility
reasons.  I can support a Port= addition to Set-Cookie2.  I had thought of
such before, and the port restriction I added was an attempt to accomplish
the restriction implicitly.

I would welcome a *complete* proposal for port handling that addresses the
concerns above, and that deals with what the correct behavior should be if
Port= is omitted from Set-Cookie2.

> [...]

> I've been avoiding commenting on the new draft, since I thought RFC 2109
> was good enough, but since I'm writing now, I have to make a few other
> points:
> 
>    1) "SetCookie2" is a lousy name for the function we're discussing.
>       "SetSessionState" or something similar would be much better than a
>       number-suffixed oddity.  If we MUST use the C-word, perhaps
>       "CreateCookie" or "DefineCookie" would do the job?

[Deep breath.  History, dating back to late 1995!]

In the beginning, those of us in the state management sub-group set out to
agree on a mechanism.  As a practical matter, with Netscape's cookies
already deployed, it made sense to standardize them, tightening up the spec
where we saw holes.  The idea was to have something fully compatible with
Netscape's cookies and most existing uses.  We planned to use Cookie and
Set-Cookie for the obvious reasons.

Recently we became aware of forward compatibility problems with MSIE.  My
attempt to address it has been to add another header which can eventually
subsume Set-Cookie.  Meanwhile (and the new I-D gives the rules), pieces of
Set-Cookie and Set-Cookie2 (the new header) get combined to form a complete
Set-Cookie2 header.  The goal has been to let V0 cookie clients continue to
work, V1 cookie clients begin to work, and both V0 and V1 servers can talk
to either flavor client.  Set-Cookie2 was chosen as an obvious relation to
Set-Cookie.  Why muck with it?  (I never liked Cookie or Set-Cookie, but
the exist, they work, and they won't go away.)
> 
>    2) If the resulting request header was "SessionState" instead of
>       "Cookie", wouldn't all the odd syntax that derives from
>       Cookie-compatability be resolvable?  I understand that this looks
>       like a large change, and is likely to raise someone's ire, but
>       changing from "SetCookie" to "SetCookie2" has already introduced a
>       sufficiently large incompatability that existing browers will
>       require code changes to support the new mechanism.  If code
>       changes are required, shouldn't we take the opportunity to resolve
>       things like the EXPIRES syntax?

If my paragraphs above haven't answered this, read the I-D (again).  We are
trying to introduce the new stuff compatibly.  Yes, it would be nice to do
something from scratch to "get it right", but it's a bit late for that.
The I-D addresses Expires in the transitional phase.  Note that there is no
Expires in Set-Cookie2 -- it's replaced by Max-Age.

> 
>    3) Section 2 "TERMINOLOGY" says that:
> 
> [definition of domain-match]
> 
>       This implies, especially to those who've never read the DNS RFCs,
>       that FQDN strings are case-sensitive.  Since domain names are not,
>       neither should they be.  I've had enough trouble convincing newbie
>       RFC-readers that this is the case elsewhere in HTTP that I'd like
>       to see it explicitly stated here.  Unless of course I'm completely
>       wrong.

You're right, FQDN's are case-INsensitive.  That's a note worth making.

Dave Kristol
Received on Friday, 21 March 1997 09:02:07 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:32 EDT