Re: New Cookies Draft from Willy Tarreau on 2024-12-10 (ietf-http-wg@w3.org from October to December 2024)

From: Willy Tarreau <w@1wt.eu>
Date: Tue, 10 Dec 2024 08:01:00 +0100
To: Johann Hofmann <johannhof@google.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@annevk.nl>, "dylancutler@google.com" <dylancutler@google.com>, Steven Bingler <bingler@google.com>
Message-ID: <20241210070100.GA12063@1wt.eu>

Hi Johann, Anne,

On Mon, Dec 09, 2024 at 05:12:03PM -0500, Johann Hofmann wrote:
> Hi everyone,
> 
> At IETF 120, Anne and I presented
> <https://docs.google.com/presentation/d/17FCT2BuYou7AB_dUzq9u6_q3X8L9CTswmrOMGVnshCM/edit#slide=id.p>
> our efforts to write a new Cookies draft specification to follow in the
> footsteps of 6265bis, which is in WG Last Call.
> 
> We submitted our initial draft for review
> <https://datatracker.ietf.org/doc/draft-annevk-johannhof-httpbis-cookies/>
> and are looking forward to having a Call for Adoption as soon as possible
> (we'll leave the exact timing to chairs to make sure we don't conflict w/
> 6265bis).
(...)

I like the way it's presented. It's particularly clear, indicates known
differences between implementations, and and it's easy to look up any
attribute and the related traps. It's a good continuation of the 6265bis
effort IMHO.

> We'd love to get this group's input, support and contributions
> on these and other issues going forward.
> 
> Looking forward to your thoughts and feedback.

Just to be clear, what is the exact goal here ? Is it to "only" provide
a replacement to 6265 taking reality into account, or also to propose
improvements to the standard ? Both are interesting and useful, I'm
just trying to be sure not to be out of topic.

For example I'd really like to have a way for a server to clear all
(session?) cookies for the current site and possibly a path, the
typical "logout" button. I know there's no way to guarantee that,
but if we could do something like:

  set-cookie: *=; Expires=Thu, 01 Jan 1970 00:00:00 GMT

and let the browser flush all the cookies it knows for that site, that
would be a huge step into helping logout clear cookies. Right now I
know that it's difficult for some portals to clear all the cookies
possibly delivered by one of the many backend applications. Some try
to collect them, or just tentatively eliminate the most likely ones.
With an extra header field like the above, there would be an opportunity
for all missed ones to be deleted as well. And once the site knows that
all the UAs it accepts support that, it could be simplified.

Another one would be to see if UAs support an expires between quotes,
because that could be the way forward to maybe one day support folding
multiple set-cookie header fields into a single, comma-delimited one.

Maybe trying to encourage UAs to support that in the spec could be
helpful for future implementations.

Thanks!
Willy

Received on Tuesday, 10 December 2024 07:01:12 UTC