W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

the state of State

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Mon, 15 Dec 97 17:26:35 EST
Message-Id: <9712152226.AA00986@aleatory.tempo.bell-labs.com>
To: http-state@lists.research.bell-labs.com
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4961
At the IETF meeting I promised to send out a summary of where things
stand and where things ought to go to nail down a revised HTTP State
Management.  This is it.

Please keep the discussion on http-state@lists.research.bell-labs.com.
(See <http://www.bell-labs.com/mailing-lists/http-state/>.)  I'm sending
this message to http-wg only as a courtesy.

Step 1:  Nail down the "wire protocol".

	At the IETF meeting I believe we narrowed down the outstanding
	issue(s) to the domain-matching rules.  There are two
	sub-problems:  a) flat namespaces in intranets; and b) using
	the n-dot rule to restrict the set of servers to which a cookie
	can be returned.

	I believe we actually resolved the flat namespace problem.  The
	resolution is that, if the Domain attribute is omitted in
	Set-Cookie2, the client is restricted to return the cookie only
	to the server from which it came.  That rule applies regardless
	of the name (and how many dots it contains).

	That leaves the domain-matching restriction rules to address.

Step 2:  reach consensus on the "privacy rules"

	Attendees thought they could arrive at an agreement about the
	interaction of the (previous) privacy rules and the user

	The rules for unverifiable transactions, or at least the
	default user agent setting for them, remain contentious.

For now I would like to restrict the discussion "agenda bashing" for
Step 1 only.  Does anyone believe there are other outstanding issues?

Dave Kristol
Received on Monday, 15 December 1997 14:30:49 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC