Dan Winship wrote: > Julian Reschke wrote: >> To be complete we would also need to cite the original spec >> (<http://www.netscape.com/newsref/std/cookie_spec.html>, 404s...). We >> already have three cookie-related references; enough is enough, isn't it? > > Well, but that one is more worth citing than some of the others, since > it's pretty much what people actually implement in practice. It's indirectly referenced through RFC2965, which now has an erratum pointing out the backup URL (thanks, Daniel) -- see <http://www.rfc-editor.org/errata_search.php?rfc=2965>. >> The currently proposed text is at: >> <http://www3.tools.ietf.org/wg/httpbis/trac/attachment/ticket/129/i129.diff> > > AFAIK, the problem is only with "Set-Cookie", not "Cookie". (There's no > need to send multiple Cookie headers; the spec says you're supposed to > include all of the cookies, semicolon-delimited, in a single Cookie header.) OK, see <http://www3.tools.ietf.org/wg/httpbis/trac/attachment/ticket/129/i129.3.diff>. >> Brian also proposed to make this REQUIRED behavior. > > FWIW, 3 out of the big 4 browsers also don't correctly parse multiple > WWW-Authenticate headers that have been merged into one (even though > 2617 explicitly points out this possibility). So it might be best to > just say that intermediaries SHOULD NOT merge headers, except in cases > where they know it's safe. Time for test cases and bug reports, I think. BR, JulianReceived on Wednesday, 20 August 2008 13:35:12 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:37 UTC