Re: state management sub-group status from Dave Kristol on 1996-01-22 (ietf-http-wg@w3.org from January to March 1996)

From: Dave Kristol <dmk@allegra.att.com>
Date: Sun, 21 Jan 1996 18:26:20 -0800
To: BearHeart / Bill Weinman <bearheart@bearnet.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <v01530501ad28a388a8ca@[192.0.3.1]>

Bill Weinman wrote (regarding state management status):
[...]
>   I look forward to seeing this. I was disappointed by Netscape's
>implementation of their persistent cookies. I sent them email with
>a discussion of the shortcomings and never got a reply (actually,
>I've never gotten a reply to any of my email to Netscape).
>

I hesitate to enter into point-by-point discussion until we have a full
proposal to present, but I will make some comments.

>   In particular: (excerpted from the Cookies chapter in my book)
>
>7.6.1 Top-Level Domain Safeguards

We are going to try to produce decent wording for the "two-/three-dot
rule".  It's hard!

>
>7.6.2 The Expires Tag
>
Your comments about whose time "expires" applies to, and how it is parsed,
are noted.

>   The other problem I have with this implementation is that there
>is no way to set up a session without a round-trip, and there is currently
>no way to generate a round-trip without requiring some user interaction.
>In other words, I would like to be able to set a cookie and read it back
>(necessary to confirm that the browser installed the cookie) with just
>headers, but attempts to do this with Netscape result in the "page has
>no data" dialog--and no response at all from the browser.

This sounds contrary to HTTP's request/response paradigm.

I don't think we'll solve this to your satisfaction, at least on this
iteration.  For one thing, we will require browser vendors to give users
the ability not to begin a session, so you might not get the confirmatory
acknowledgement.

>
>   So, some "cookie-only" response code (or a generic "header-only")
>would help the usefulness of cookies for maintaining sessions.
>
>   There does not seem to be an appropriate response code for this
>in draft-ietf-http-v11-spec-00.txt, perhaps a 100-level response
>code would be appropriate.
>
>   BTW, as they are right now, I see no advantage to Netscape Cookies
>over hidden form-fields, other than their persistence. It would be
>really nice to be able to use them for short-term (i.e. single-session)
>session managment.

The advantage comes from the ability to cache some pages (under the right
circumstances) that have associated cookies.  You can't do that if the
cached information would include hidden fields.

Please defer further discussion of state management on http-wg until the
sub-group can present a fully thought out proposal.  You can send private
thoughts/concerns to me for consideration, though.

Dave Kristol

Received on Sunday, 21 January 1996 18:29:07 UTC