Re: Comments on the new cookie draft

On Mon, 24 Feb 1997, Dave Kristol wrote:

> "David W. Morris" <> wrote on Fri, 21 Feb 1997 20:03:02 -0800 (PST):
>   > [among other things...]
>   > NOW given that we seem to need a new header for the new cookie format,
>   > could we PLEASE add the ability to mark cookies as both expiring AND NEVER
>   > stored on disk?  In that case, the cookie expires the earlier of
>   > expiration time or when the client shutsdown.
> While I have no objections to this idea, it's the first time I can
> remember its being expressed here.  Did I miss it?

No, I believe you and I discussed the concept briefly at the last IETF but
I believe we concluded it was a future change because of timing and
compatibility concerns between original and 'new' cookies. I brough it up
now because it looked like a new header was needed for setcookie to
resolve other issues so perhaps there was a window of opportunity here.

> Want to suggest a syntax?

sure ... 

add a line to the definition of 'cookie-av':

         | "Nopersist"

defined as:
       Optional. The Nopersist attribute requires that the cookie never be
       retained beyond the lifetime of the current executing instance of
       the user agent. Nopersist is the default when the Max-age attribute
       is not specified. When Nopersist and Max-age is specified, the 
       cookie's lifetime should be the lesser of the two requirements.

I have no particular affinity for "Nopersist" ... another attribute
name would be fine. I didn't include the "don't write to disk" phrase
because the "never be retained" requirement is difficult to  meet in the
face of a system failure and restart and in the end my concern is not
security of the data but rather a consistent state model for the www

Dave Morris

Received on Monday, 24 February 1997 14:09:33 UTC