Re: Handling Cookies is a Minefield from Daniel Veditz on 2024-12-05 (ietf-http-wg@w3.org from October to December 2024)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 4 Dec 2024 18:00:38 -0800
To: Willy Tarreau <w@1wt.eu>
Cc: Daniel Stenberg <daniel@haxx.se>, Rory Hewitt <rory.hewitt@gmail.com>, David Benjamin <davidben@chromium.org>, Watson Ladd <watsonbladd@gmail.com>, Stefan Eissing <stefan@eissing.org>, Yoav Weiss <yoav.weiss@shopify.com>, David Schinazi <dschinazi.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CADYDTCD+vBkiTQTBm9oqKXCNph2RH-EfkNGN1hs0Vb0t50i-=g@mail.gmail.com>

On Mon, Dec 2, 2024 at 10:28 PM Willy Tarreau <w@1wt.eu> wrote:

> Among the needs I've identified quite a few times in the field [...]
>
  2. the difficulty to store arbitrarily long cookies
>

That should be more than difficult: the cookie specs have always explicitly
forbidden arbitrarily long cookies. The practical limits imposed by servers
and the network are even less than the spec allows.

  3. the difficulty to purge all cookies associated with a given session
>

A `Clear-site-data: cookies` response header will do that in browsers these
days, if "given session" means all the cookies for the entire domain and
not some subset of that.

-Dan Veditz

Received on Thursday, 5 December 2024 02:01:10 UTC