Quick thoughts:
If a client has two same-named cookies with different domains and/or paths,
do they all get deleted? For example, they were sent the following
Set-Cookie headers from the example.com server:
Set-Cookie: my-cookie=abc; Path=/; Domain=www.example.com
Set-Cookie: my-cookie=def; Path=/client; Domain=example.com
What happens if the server at example.com sends:
Delete-Cookie: "my-cookie"
Do they both get deleted?
Nit: Section 3 says "These servers could have already deleted these same
cookies by setting cookies with identical name, path and domain with an
expiration date of 0." Technically, you can pass a max-age attribute of 0
and/or an Expires date in the past, ut an expires date of 0 is invalid...
On Thu, Mar 20, 2025 at 2:22 AM Yoav Weiss <yoav.weiss@shopify.com> wrote:
> I've published an I-D
> <https://www.ietf.org/archive/id/draft-deletecookie-weiss-http-00.html> for
> this. As always, feedback is very much welcome!!
>
> On Sun, Mar 2, 2025 at 9:51 AM Daniel Stenberg <daniel@haxx.se> wrote:
>
>> On Sat, 1 Mar 2025, Rory Hewitt wrote:
>>
>> > Do you think that the problem could be solved by a better-written spec
>> or
>> > does the whole cookie issue need re-doing
>>
>> I think the spec, including 6265bis, is generally good. I expect most of
>> us
>> invididually think there are details in it that can be improved but which
>> spec
>> is not like that?
>>
>> I think 6265bis is an improvement and I think it can be improved further.
>> Again, like most specs.
>>
>> --
>>
>> / daniel.haxx.se
>>
>>
--
Rory Hewitt
https://www.linkedin.com/in/roryhewitt