RE: LAST CALL, "HTTP State Management Mechanism (Rev1) " to Propo

I have a number of remaining concerns with the HTTP State Management
Mechanism draft-02. They range from editorial and clarity to
functional. I'll sumarize the functional concerns and then step
thru the draft with detailed comments and/or suggestions.

Functional Concerns:

  1.  The cookie/cookie2 interoperational requirement that clients
      clients merge the values from two cookie/cookie2 and servers
      split the values present unnecessary implementation complexity
      and opportunity for errors to conver a transition interval
      and to save small amount of network traffic. More below.

  2.  I see no advantage to requiring the use of a FQHN in all
      cases. It is sufficient to exactly match the host name
      between URL's response which set the cookie and the URL
      candidate for inclusion of the cookie. Intranet applications
      work quite nicely with host names which are not FQHNs.
      Furthermore, in the intranet context this has the potential
      of requiring a user to type a FQHN to access an application
      which uses Cookies. An unnecessary restriction. We
      have already concluded in discussions relationg to 2068
      and the Host: header that it is impossible to require a UA
      to expand a simple host name into a FQHN.

  3.  Requiring the leading period in the domain= value can be
      avoided by simply requiring that the client add the period
      if it isn't provided prior to performing the domain matching.

  4.  There was a significant amount of interest/support for the
      CommentURL as a better mechanism for communication between
      the server and the user.

Dave Morris ---------------------->

Proposed changes and additional comments:

:: 2. Terminology
:: The terms request-host and request-URI refer to the values the client
:: would send to the server as, respectively, the host (but not port) and
:: abs_path portions of the absoluteURI (http_URL) of the HTTP request
:: line.  Note that request-host must be a FQHN.
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  delete this phrase

:: Host names can be specified either as an IP address or a FQHN string.

Replace the above line with:
   Host names can be specified in any form acceptable to the base
   HTTP protocol. That may be an IP address, an incomplete host name
   string, or a FQHN string which is the prefered form.

:: Sometimes we compare one host name with another.  Host A's name domain-
:: matches host B's if

Replace the following two points:

::    * both host names are IP addresses and their host name strings
::      match exactly; or

::    * both host names are FQDN strings and their host name strings
::      match exactly; or

    * both host name strings match exactly (this applies to IP
      addresses and host name strings which are not FQHNs).

::    * A is a FQDN string and has the form NB, where N is a non-empty
::      name string, B has the form .B', and B' is a FQDN string.
::      (So,  domain-matches but not


:: There are, of course, many different potential contexts and thus many
:: different potential types of session.  The designers' paradigm for
:: sessions created by the exchange of cookies has these key attributes:
::   1.  Each session has a beginning and an end.
::   2.  Each session is relatively short-lived.
::   3.  Either the user agent or the origin server may terminate a
::       session.
::   4.  The session is implicit in the exchange of state information.

I believe the above paragraphis is an unnecessary elaboration and
furthermore points 1 and 2 are incorrect. Point 2 is in
conflict with examples later in the document when storage of
preferences is discussed. If something like this paragraph remains,
points 1 and two should be more like:
     1.  Each session as an explicit beginning and an end which
         can be approximated based on time and/or user termination
         of user agent execution.
     2.  A cookie based session last over the interval appropriate
         to the context established by the session.


:: 4.2.2 Set-Cookie2 Syntax

An earlier comment was made about quotes in the "Port" attribute,
but I think there are additional problems with the syntax as
specified and suggest that:

::                 |       "Port" [ "=" <"> 1#port-list <"> ]
:: port-list       |       1#DIGIT

be replaced with:

                   |       "Port" [ "=" portnum | <"> 1#portnum <"> ]
   portnum         =       1*DIGIT

If I correctly understand RFC2068 syntax, 1#X means 1 or more
occurances of X delimited by commas. My changes fix the "="
in port-list, the 1#DIGIT in port list and make the quotes
optional for the single port case.

To support the CommentURL, add:

                    |    "CommentURL" "=" <"> http_URL <">


I think the issue is not so much that a cookie can contain private
information as it can be used to derive private information. Thus
I think the following:

:: Comment=comment
::   Optional.  Because cookies can contain private information about a
::   user, the Comment attribute allows an origin server to document how
::   it intends to use the cookie.  The user can inspect the information

should be changed to read something like:
     Optional.  Because cookies can be used to derive or store
     private information about a user, the Comment attribute allows an
     origin server to document how it intends to use the cookie. ...

and also to support the CommentURL in the description section, add:

      Optional.  Because cookies can be used to derive or store
      private information about a user, the CommentURL
      attribute alows an origin server to document how it intends
      to use the cookie.  The user can inspect the information
      identified by the URL to decide whether to initiate or
      continue a session with this cookie.

:: Domain=domain
::    Optional.  The Domain attribute specifies the domain for which the
::    cookie is valid.  An explicitly specified domain must always start
::    with a dot.

Change the 'must' in the last sentence to 'should' and add:
  If the domain does not start with a dot, the client MUST prepend
  the dot logically prior to use of the domain value.

:: 4.2.3 Controlling Caching

:: HTTP/1.1 servers must send Expires: old-date (where old-date is a date
:: long in the past) on responses containing Set-Cookie2 response headers
:: unless they know for certain (by out of band means) that there are no
:: upstream HTTP/1.0 proxies.  HTTP/1.1 servers may send other Cache-
                            ^^^^ insert:
         or that any upstream proxies will not cache the response.

:: Control directives that permit caching by HTTP/1.1 proxies in addition
:: to the Expires: old-date directive; the Cache-Control directive will
:: override the Expires: old-date for HTTP/1.1 proxies.

For example, is it has been fairly well accepted that HTTP/1.0
proxies will not cache responses to POST requests or requests which
include a '?' part.

:: 4.3 User Agent Role

:: Port   The default behavior is that a cookie may be returned only to
::        its request-port.

I think the correct default for Port is:

   Port   If the Port attribute is not specified, there are no
          port restrictions for subsequent use of the cookie.  If the
          Port attribute is specified without a value, the cookie
          may only be sent in a request to the same port that it
          was received on.

:: 4.3.2 Rejecting Cookies
::    * The value for the Domain attribute contains no embedded dots
::      or does not start with a dot.
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^  delete the phrase

::    * A Set-Cookie2 with will be rejected because the
::      value for Domain does not begin with a dot.

The above example should be deleted or replace with something like:
      * A Set-Cookie2 with will have a dot prepended
        to value for Domain because it does not begin with a dot.

:: 4.3.3  Cookie Management  If a user agent receives a Set-Cookie2
:: response header whose NAME is the same as a pre-existing cookie, and
                  ^^ insert 'value with a cookie'
:: whose Domain and Path attribute values exactly (string) match those

A single set-cookie2 response header can contain multiple cookies.

:: Because user agents have finite space in which to store cookies, they
:: may also discard older cookies to make space for newer ones, using, for
:: example, a least-recently-used algorithm, along with constraints on the
:: maximum number of cookies that each origin server may set.
                 ^^ insert 'or size'

:: If a Set-Cookie2 response header includes a Comment attribute, the user
:: agent should store that information in a human-readable form with the
:: cookie and should display the comment text as part of a cookie
          ^^^ or
:: inspection user interface.

The critical issue is that the Comment be made available to the user.
With the 'and' included, the specification makes an unnecessary
implementation restriction. How it is stored is not important unless
poking around in the storage area is the only mechanism the user
has for examination of the cookie.

To support CommentURL, the following should be added:
  If a Set-Cookie2 response header includes a CommentURL attribute,
  the user agent should either store the value in a human-readable
  form with the cookie or preferably allow the user to link to the
  URL as part of a cookie inspection interface.

:: 4.3.4 Sending Cookies to the Origin Server

:: The value of the cookie-version attribute must be the value from the
:: Version attribute of the corresponding Set-Cookie2 response header.
:: Otherwise the value for cookie-version is 0.  The value for the path
:: attribute must be the value from the Path attribute, if any, of the
:: corresponding Set-Cookie2 response header.  Otherwise the attribute
:: should be omitted from the Cookie request header.  The value for the
:: domain attribute must be the value from the Domain attribute, if any,
:: of the corresponding Set-Cookie2 response header.  Otherwise the
:: attribute should be omitted from the Cookie request header.

I read the above to make sending of the $path and $domain values
on a cookie: response header as optional.  To me it says, if the
$path and $domain values are sent, then be the values in the
set-cookie2 response header. Is this what is intended? Based on
later examples, I would have expected it be required that they
be returned if set.


::     2.  If the attribute is present but has no value (e.g., Port),
::         the cookie must only be sent to its request-port.
       would be clearer I think if replaced with:
           "the request-port it was received from.

4.3.5 Sending Cookies in Unverifiable Transactions
:: However, even this would not make all links verifiable; for example,
:: links to automatically loaded images would not normally be subject to
                                       ^^^ insert "or other objects
                                                   such as frame
:: ``mouse pointer'' verification.

:: Many user agents also provide the option for a user to view the HTML
:: source of a document, or to save the source to an external file where it
:: can be viewed by another application.  While such an option does provide
:: a crude review mechanism, some users might not consider it acceptable
:: for this purpose.

That is the understatement of the year .... I would prefer words like
                             "many users would"

:: 4.5  Caching Proxy Role
:: Proxies must not introduce Set-Cookie2 (Cookie) headers of their own
           ^^^^ I would prefer 'should'
:: in proxy responses (requests).

:: 5. Examples

It looks to me like the exmaples are WRONG ... the syntax requires
the version prior to the cookie name/value. (This also implies
the historical rules for merging cookie and cookie2 are wrong).

:: 6.1 Set-Cookies Content

:: The session information can obviously be clear or encoded text that
:: describes state.  However, if it grows too large, it can become
:: unwieldy.  Therefore, an implementor might choose for the session
:: information to be a key to a server-side resource.

The above is fine and sufficient.  The following comment asserts
a motivations for this specification which has not been established
and which I would disagree with. Delete the following ....

::                                                    Of course, using
:: a database creates some problems that this state management
:: specification was meant to avoid, namely:
::   1.  keeping real state on the server side;
::   2.  how and when to garbage-collect the database entry, in case the
::       user agent terminates the session by, for example, exiting.

:: 6.3 Implementation Limits

Either delete the following completely or replace it. Dictating
that such a device dedicate 80K+ of storage to cookies is not

:: User agents created for specific purposes or for limited-capacity
:: devices should provide at least 20 cookies of 4096 bytes, to ensure
:: that the user can interact with a session-based origin server.

Calling something a limited capacity device, we have acknowledged
that we don't know its capabilities or its intended audience. I
don't advocate the following but could tolerate it if we are
compelled to say anything:

   User agents created for specific purposes or for limited-capacity
   devices should provide sufficient cookie storage capacity to
   address the requirements of the applications they are intended
   to serve.

:: 7.1  User Agent Control

The following is implementation advice which can be dropped. Surely
we need not instruct UA authors about data integrity.

:: NOTE: User agents should probably be cautious about using files to store
:: cookies long-term.  If a user runs more than one instance of the user
::agent, the cookies could be commingled or otherwise corrupted.

:: 10.1  Compatibility with Existing Implementations

As I stated in my introduction, I feel quite strongly that the
proposed handling of old and new cookies is wrong. I shall attempt
to proposed edits which will make this section fit my
:: An origin server that supports user agents that are compatible both
:: with Netscape's original proposal and this one must, for a transition
:: period, send two response headers.  Set-Cookie contains the ``old''
:: cookie information.
::                     Set-Cookie2 contains the cookie information that
:: is new to this specification.  The rules below ensure that the two
:: pieces get combined correctly.
::                                Eventually, when the majority of user
:: agents follow this specification, the Set-Cookie response header can
:: be phased out, and all cookie information can be carried in the
:: Set-Cookie2 response header.

by replacing the broken out middle section with
                       Set-Cookie2 contains the the same cookie
          information expressed according to this specification.

Then replace:
:: Once a server receives a new cookie from a client, it may continue a
:: session by sending only Set-Cookie2 response headers.

   New version of user agents which had previously stored cookies
   based on Netscape's original specifications should convert
   existing cookies by adding the $Version attribute with a value
   of 0 to signal to the server the ability to handle Set-cookie2
   format cookies.

   Once a session is initiated during the transition period using
   both set cookie headers in the first response to a user-agent
   the server will know from the cookie header received in the
   next request which form of cookies the user agent supports.
   The server should only send either the Set-cookie2 if it is
   supported or the set-cookie if Set-cookie2 is not supported on
   subsequent responses which require an updated cookie value.

Then delete sections "10.1.1 Combining Set-Cookie and Set-cookie2"
and "10.1.2 An Example".

Received on Sunday, 13 July 1997 17:54:37 UTC