Re: Set-Cookie vs list header parsing (i129), was: NEW ISSUE: repeating non-list-type-headers

On 08/13/2008 04:07 PM, Julian Reschke wrote:
> Julian Reschke wrote:
>> Hi.
>> It seems to me that we really should open a separate issue (*) for 
>> this one, so that it doesn't get lost.
>> ...
> Opened as <>.

Regarding this comment:

(That nobody implements RFC2109 is implied in RFC2965, which obsoletes
RFC2109 and in section 9 talks about using Set-Cookie2 alongside
Netscape style Set-Cookies, not mentioning RFC2109 style Set-Cookiess. I
think this reflects the observation at the time that the change of
Set-Cookie syntax promoted in RFC2109 wasn't taken up, probably because
it's not backward compatible.)

I wrote a paper that describes the standardization process for cookies
in excruciating detail.  You can get it at
<>.  I'll refer to some of its
sections below

Appendix section A.2, particularly A.2.3, discusses the problem of
"folding" multiple Cookie headers, that is the problem of "," and ";"
separators.  I suspect (but have no proof) that, in self-defense,
current clients and servers treat Cookie as a special case and are
careful to send each cookie in its own header, rather than merge them.

Appendix B describes where Set-Cookie2 came from.  It had nothing to do
with "," vs. ";", at least originally.  Work on what became RFC 2965
began shortly after RFC 2109 came out, to fix an incompatibility we
found.  That work began well before RFC 2109 would have had any time to
be adopted.  The long time gap between RFC 2109 and RFC 2965 arose from
other factors.  See section 4.3.3.

It was certainly our goal (see section 4.3) to introduce upward- (or is
it downward- ?) compatible changes, though we had to deal with the hand
that Netscape's specification dealt us.  We obviously didn't succeed.

Dave Kristol

Received on Thursday, 14 August 2008 15:48:34 UTC