W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2022

Re: Signing Set-Cookie

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 8 Jun 2022 09:01:17 +1000
Cc: Willy Tarreau <w@1wt.eu>, Martin Thomson <mt@lowentropy.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <75849B4F-275C-481F-8F62-4713E3E56381@mnot.net>
To: Justin Richer <jricher@mit.edu> 
Require signing SF-Set-Cookie instead?

> On 8 Jun 2022, at 3:31 am, Justin Richer <jricher@mit.edu> wrote:
> 
>  - Never sign Set-Cookie
>  - Never sign multiple Set-Cookie headers
>  - Have a special syntax for dealing with Set-Cookie (probably a derived component, but I’m not thrilled about this one)
>  - Warn against weirdness with multiple Set-Cookie headers
> 
> Any other approaches?

--
Mark Nottingham   https://www.mnot.net/
Received on Tuesday, 7 June 2022 23:01:36 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:44:07 UTC