- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 18 Nov 2013 09:30:10 +0100
- To: Willy Tarreau <w@1wt.eu>, Martin Thomson <martin.thomson@gmail.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2013-11-18 05:52, Willy Tarreau wrote:
> Hi Martin,
>
> On Sun, Nov 17, 2013 at 04:44:19PM -0800, Martin Thomson wrote:
>> On 16 November 2013 00:02, Willy Tarreau <w@1wt.eu> wrote:
>>> Indeed, right now applications correctly handle cookie as a list
>>> of values which can be aggregated using commas like any other header
>>> field.
>>
>> All the discussions thus far, plus a reasonably careful reading of RFC
>> 6265 leads me to conclude that this is not the case. In particular,
>> http://tools.ietf.org/html/rfc6265#section-5.4 is quite clear:
>>
>> When the user agent generates an HTTP request, the user agent MUST
>> NOT attach more than one Cookie header field.
>
> Indeed, I'm noticing this change in this version. Both 2109 and 2965 used
> to define it this way using ';' or ',' as delimiters :
>
> cookie = "Cookie:" cookie-version 1*((";" | ",") cookie-value)
But that's not the "list" rule that
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-25.html#rfc.section.3.2.2.p.2>
refers to.
> I have no idea why Adam proposed this change in a way incompatible with
> what was done for 15 years. Also I know a number of places where reverse
> proxies add Cookie headers before passing the request to the server
> (generally with user information or geoloc info). It's been said for a
> while that only the Set-Cookie header could not be folded (because of the
> date containing a comma) while the Cookie header can.
As far as I remember, this didn't come up while the httpstate WG worked
on the new cookie spec.
>> Given the grammar, which doesn't use the list construction or a comma,
>> merging with commas would seem to be invalid.
>
> It used to be before 6265 at least.
Nope, see above.
> ...
Best regards, Julian
Received on Monday, 18 November 2013 08:30:39 UTC