- From: Dan Winship <dan.winship@gmail.com>
- Date: Wed, 20 Aug 2008 08:58:03 -0400
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: ietf-http-wg@w3.org
Julian Reschke wrote: > To be complete we would also need to cite the original spec > (<http://www.netscape.com/newsref/std/cookie_spec.html>, 404s...). We > already have three cookie-related references; enough is enough, isn't it? Well, but that one is more worth citing than some of the others, since it's pretty much what people actually implement in practice. > The currently proposed text is at: > <http://www3.tools.ietf.org/wg/httpbis/trac/attachment/ticket/129/i129.diff> AFAIK, the problem is only with "Set-Cookie", not "Cookie". (There's no need to send multiple Cookie headers; the spec says you're supposed to include all of the cookies, semicolon-delimited, in a single Cookie header.) > Brian also proposed to make this REQUIRED behavior. FWIW, 3 out of the big 4 browsers also don't correctly parse multiple WWW-Authenticate headers that have been merged into one (even though 2617 explicitly points out this possibility). So it might be best to just say that intermediaries SHOULD NOT merge headers, except in cases where they know it's safe. -- Dan
Received on Wednesday, 20 August 2008 12:59:13 UTC