Re: LAST CALL, "HTTP State Management Mechanism (Rev1)" to Propo from Foteos Macrides on 1997-07-12 (ietf-http-wg@w3.org from July to September 1997)

From: Foteos Macrides <MACRIDES@sci.wfbr.edu>
Date: Fri, 11 Jul 1997 23:21:18 -0500 (EST)
To: http-wg@cuckoo.hpl.hp.com
Message-Id: <01IL4M82F3C8001HN7@SCI.WFBR.EDU>

Dave Kristol <dmk@bell-labs.com> wrote:
>Yaron Goland wrote:
>> 
>> Oops sorry, things do tend to fall between the cracks.
>
>> Comments:
>> 4.2.2 - "If an attribute appears more than once in a cookie, the
>> behavior is undefined." Undefined things have a habit of defining
>> themselves, let us not repeat the mistakes which caused so much trouble
>> with cookies in the first place. If an attribute appears more than once
>> then the first appearance defines the value and subsequent attributes
>> are ignored.
>
>My apologies.  I did not willfully fail to incorporate these comments,
>but did so through oversight.
>
>Others have addressed Yaron's other remarks and follow-ups.
>
>I will be on vacation for another week, so I clearly won't have a new
>draft ready before the 7/15 deadline, but I will submit one after I
>return home.

	If you're going to be submitting another draft, I suggest that
in the section explaining the port attribute you include an explicit
statement that its value should be double-quoted if it's a comma
separated list of ports.  It was not difficult to do "sanity checks"
for whether what follows a comma is another port number versus the
start of another cookie if the value is not double-quoted, but it would
be better to promote the double-quoting explicitly, particularly because
in "historical" Set-Cookie headers the expires attribute value, which
includes commas, is not double-quoted (for backwardness compatibility).

	Yaron's other criticism of 4.2.2, regarding the mushiness of
the "at least as secure" phrase, is the same one I raised some time
ago, and you answered at length, so Yaron (and Larry as well if he's
forgotten) can find that in the archives.  However, now that the
blanket port restriction has been lifted, and cookies can be shared
between https and http servers unless the secure attribute was
specified, it might be worth indicating that UAs can offer human users
the option to set cookies as secure in addition to taking any "advice"
about that from the server's Set-Cookie/Set-Cookie2 header(s).  That's
just an "implementation issue", so it's OK if you'd rather not, but we
did make that both a configuration and run-time option in Lynx.

	These are just comment/explanation suggestions.  The actual
specs are fine.

				Fote

=========================================================================
 Foteos Macrides            Worcester Foundation for Biomedical Research
 MACRIDES@SCI.WFBR.EDU         222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================

Received on Friday, 11 July 1997 20:25:26 UTC