W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Cookie crumbling in -09

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 18 Nov 2013 09:30:10 +0100
Message-ID: <5289D012.80402@gmx.de>
To: Willy Tarreau <w@1wt.eu>, Martin Thomson <martin.thomson@gmail.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2013-11-18 05:52, Willy Tarreau wrote:
> Hi Martin,
>
> On Sun, Nov 17, 2013 at 04:44:19PM -0800, Martin Thomson wrote:
>> On 16 November 2013 00:02, Willy Tarreau <w@1wt.eu> wrote:
>>> Indeed, right now applications correctly handle cookie as a list
>>> of values which can be aggregated using commas like any other header
>>> field.
>>
>> All the discussions thus far, plus a reasonably careful reading of RFC
>> 6265 leads me to conclude that this is not the case.  In particular,
>> http://tools.ietf.org/html/rfc6265#section-5.4 is quite clear:
>>
>>     When the user agent generates an HTTP request, the user agent MUST
>>     NOT attach more than one Cookie header field.
>
> Indeed, I'm noticing this change in this version. Both 2109 and 2965 used
> to define it this way using ';' or ',' as delimiters :
>
>    cookie          =  "Cookie:" cookie-version 1*((";" | ",") cookie-value)

But that's not the "list" rule that 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-25.html#rfc.section.3.2.2.p.2> 
refers to.

> I have no idea why Adam proposed this change in a way incompatible with
> what was done for 15 years. Also I know a number of places where reverse
> proxies add Cookie headers before passing the request to the server
> (generally with user information or geoloc info). It's been said for a
> while that only the Set-Cookie header could not be folded (because of the
> date containing a comma) while the Cookie header can.

As far as I remember, this didn't come up while the httpstate WG worked 
on the new cookie spec.

>> Given the grammar, which doesn't use the list construction or a comma,
>> merging with commas would seem to be invalid.
>
> It used to be before 6265 at least.

Nope, see above.

> ...

Best regards, Julian
Received on Monday, 18 November 2013 08:30:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC