W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2008

Re: Set-Cookie vs list header parsing (i129), was: NEW ISSUE: repeating non-list-type-headers

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 15 Aug 2008 20:21:53 +0200
Message-ID: <48A5C941.3050306@gmx.de>
To: Dave Kristol <dmk-http@kristol.org>
CC: HTTP Working Group <ietf-http-wg@w3.org>

Dave Kristol wrote:
> Regarding this comment:
> (That nobody implements RFC2109 is implied in RFC2965, which obsoletes
> RFC2109 and in section 9 talks about using Set-Cookie2 alongside
> Netscape style Set-Cookies, not mentioning RFC2109 style Set-Cookiess. I
> think this reflects the observation at the time that the change of
> Set-Cookie syntax promoted in RFC2109 wasn't taken up, probably because
> it's not backward compatible.)
> I wrote a paper that describes the standardization process for cookies
> in excruciating detail.  You can get it at
> <http://arxiv.org/abs/cs.SE/0105018>.  I'll refer to some of its
> sections below
> Appendix section A.2, particularly A.2.3, discusses the problem of
> "folding" multiple Cookie headers, that is the problem of "," and ";"
> separators.  I suspect (but have no proof) that, in self-defense,
> current clients and servers treat Cookie as a special case and are
> careful to send each cookie in its own header, rather than merge them.
> Appendix B describes where Set-Cookie2 came from.  It had nothing to do
> with "," vs. ";", at least originally.  Work on what became RFC 2965
> began shortly after RFC 2109 came out, to fix an incompatibility we
> found.  That work began well before RFC 2109 would have had any time to
> be adopted.  The long time gap between RFC 2109 and RFC 2965 arose from
> other factors.  See section 4.3.3.
> It was certainly our goal (see section 4.3) to introduce upward- (or is
> it downward- ?) compatible changes, though we had to deal with the hand
> that Netscape's specification dealt us.  We obviously didn't succeed.
> Dave Kristol


thanks for the pointer. I wish we had more documentation like this to 
help those who joined the WG much later.

With respect to the original issue -- I think it would be a service to 
readers to point out that this:

    Multiple message-header fields with the same field-name MAY be
    present in a message if and only if the entire field-value for that
    header field is defined as a comma-separated list [i.e., #(values)].
    It MUST be possible to combine the multiple header fields into one
    "field-name: field-value" pair, without changing the semantics of the
    message, by appending each subsequent field-value to the first, each
    separated by a comma. The order in which header fields with the same
    field-name are received is therefore significant to the
    interpretation of the combined field value, and thus a proxy MUST NOT
    change the order of these field values when a message is forwarded. 
-- <http://tools.ietf.org/html/rfc2616#section-4.2>

...is wishful thinking in practice, because of Cookie and Set-Cookie (as 
used in practice, not defined in RFC2109).

How about:

--- snip ---

Note: the "Cookie" and "Set-Cookie" headers as implemented in practice 
(as opposed to how they are specified in [RFC2109]) can occur multiple 
lines, but do not use the list syntax, and thus can not be combined into 
a single line (see [Kri2001] for details). Also note that the 
Cookie2/Set-Cookie2 headers specified in [RFC2965] do not share this 

--- snip ---

BR, Julian
Received on Friday, 15 August 2008 18:22:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:37 UTC