W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

RE: Issues with the cookie draft

From: Yaron Goland <yarong@microsoft.com>
Date: Sat, 22 Mar 1997 01:38:01 -0800
Message-Id: <11352BDEEB92CF119F3F00805F14F485026B7243@RED-44-MSG.dns.microsoft.com>
To: "'hedlund@best.com'" <hedlund@best.com>, Dave Kristol <dmk@research.bell-labs.com>
Cc: http-wg@cuckoo.hpl.hp.com
I'll come up with a rule to handle your cases as soon as you come up
with a rule to allow me to share cookies across:

companyname.com
productname.companyname.com
version1.productname.companyname.com
version2.productname.companyname.com
version3.productname.companyname.com

The current spec prevents sharing cookies amongst those servers. That
does not seem terribly reasonable.

		Yaron

> -----Original Message-----
> From:	M. Hedlund [SMTP:hedlund@best.com]
> Sent:	Friday, March 21, 1997 8:02 PM
> To:	Dave Kristol
> Cc:	Yaron Goland; http-wg@cuckoo.hpl.hp.com
> Subject:	RE: Issues with the cookie draft
> 
> 
> On Fri, 21 Mar 1997, Dave Kristol wrote:
> > What do others think?  The idea is, if the user agent or,
> > presumably, the origin server, receives a Set-Cookie (Cookie) header
> that
> > is non-conforming, the receiver *must* ignore the header.
> 
> Since cookies are widely set by content providers through simple
> server
> extensions (as opposed to just by relatively few server implementors),
> I
> think this is a bad idea.  All sorts of non-RFC readers will be
> setting
> cookies.  Let's make it as easy on them as possible. I would want the
> client to do its best to figure out the server's intent, while
> adhering to
> the spec. 
> 
> I don't think our current predicament is really caused by clients
> being too
> liberal in what they accept; it seems to have been caused by the lack
> of a
> specification in the original cookie proposal for what a browser
> should do
> with extra attributes in a set-cookie.  The RFC contains the line:
> 
> > 4.3.1  Interpreting Set-Cookie2 [...]
> > The user agent should ignore attribute-values pairs whose attribute
> it
> > does not recognize. 
> 
> ...which should solve the problem we have been addressing.  I don't
> think
> that just because we've had this problem, we should make the clients
> require strict syntax.  What if two browsers have different
> interpretations
> of a conforming cookie?  If they both reject non-conforming cookies
> and
> disagree about what it means to conform, no one set-cookie syntax will
> work, and we'll have to switch on User-agent -- please, let's not
> create
> that problem again! 
> 
> >   > 4.3.2 Rejecting Cookies (how far into the domain do you go):
> >   > I appreciate that it was a long and drawn out debate but that is
> not a
> >   > sufficient rational for preventing perfectly reasonable
> behavior. The
> >   > decision to stop at one domain level is completely arbitrary. It
> is no
> >   > more and no less secure than 2 or infinite domain levels deep. I
> do not
> >   > feel that an arbitrary choice is a good enough reason to include
> a
> >   > requirement in a specification.
> > 
> > It wasn't completely arbitrary.  The goal was to protect privacy,
> and
> > the rule in the spec makes it harder for cookies to "leak" to
> servers
> > far removed from their origin.
> 
> I disagree that there was any arbitrariness involved on our part.  The
> arbitrary factor is the designation of an organizational unit in a
> domain
> name.  If you want to change this, come up with a rule that
> sufficiently
> covers the following cases:
> 
> .com.	
> .sun.com	
> .foo.sg
> .demon.co.uk	
> .bar.com.au
> .powells.pdx.or.us
> 
> On Fri, 21 Mar 1997, Roy T. Fielding wrote:
> > I was hoping for "Set-Chips" (just a small addition to the cookie)
> > or "Set-Brownie" (that other thing we find at IETF meetings).
> 
> Oi, what have you started.  ;)  How about "Set-Baking-Soda" -- that
> required to make cookies fully baked? 
> 
> M. Hedlund <hedlund@best.com>
Received on Saturday, 22 March 1997 01:39:17 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:32 EDT