W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2008

Re: Set-Cookie vs list header parsing (i129)

From: Dan Winship <dan.winship@gmail.com>
Date: Wed, 20 Aug 2008 08:58:03 -0400
Message-ID: <48AC14DB.7010206@gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
CC: ietf-http-wg@w3.org

Julian Reschke wrote:
> To be complete we would also need to cite the original spec
> (<http://www.netscape.com/newsref/std/cookie_spec.html>, 404s...). We
> already have three cookie-related references; enough is enough, isn't it?

Well, but that one is more worth citing than some of the others, since
it's pretty much what people actually implement in practice.

> The currently proposed text is at:
> <http://www3.tools.ietf.org/wg/httpbis/trac/attachment/ticket/129/i129.diff>

AFAIK, the problem is only with "Set-Cookie", not "Cookie". (There's no
need to send multiple Cookie headers; the spec says you're supposed to
include all of the cookies, semicolon-delimited, in a single Cookie header.)

> Brian also proposed to make this REQUIRED behavior.

FWIW, 3 out of the big 4 browsers also don't correctly parse multiple
WWW-Authenticate headers that have been merged into one (even though
2617 explicitly points out this possibility). So it might be best to
just say that intermediaries SHOULD NOT merge headers, except in cases
where they know it's safe.

-- Dan
Received on Wednesday, 20 August 2008 12:59:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:54 GMT