Re: Delete-Cookie header??

Quick thoughts:

If a client has two same-named cookies with different domains and/or paths,
do they all get deleted? For example, they were sent the following
Set-Cookie headers from the example.com server:

Set-Cookie: my-cookie=abc; Path=/; Domain=www.example.com
Set-Cookie: my-cookie=def; Path=/client; Domain=example.com

What happens if the server at example.com sends:

Delete-Cookie: "my-cookie"

Do they both get deleted?

Nit: Section 3 says "These servers could have already deleted these same
cookies by setting cookies with identical name, path and domain with an
expiration date of 0." Technically, you can pass a max-age attribute of 0
and/or an Expires date in the past, ut an expires date of 0 is invalid...

On Thu, Mar 20, 2025 at 2:22 AM Yoav Weiss <yoav.weiss@shopify.com> wrote:

> I've published an I-D
> <https://www.ietf.org/archive/id/draft-deletecookie-weiss-http-00.html> for
> this. As always, feedback is very much welcome!!
>
> On Sun, Mar 2, 2025 at 9:51 AM Daniel Stenberg <daniel@haxx.se> wrote:
>
>> On Sat, 1 Mar 2025, Rory Hewitt wrote:
>>
>> > Do you think that the problem could be solved by a better-written spec
>> or
>> > does the whole cookie issue need re-doing
>>
>> I think the spec, including 6265bis, is generally good. I expect most of
>> us
>> invididually think there are details in it that can be improved but which
>> spec
>> is not like that?
>>
>> I think 6265bis is an improvement and I think it can be improved further.
>> Again, like most specs.
>>
>> --
>>
>>   / daniel.haxx.se
>>
>>

-- 
Rory Hewitt

https://www.linkedin.com/in/roryhewitt

Received on Thursday, 20 March 2025 15:52:22 UTC