Quick thoughts: If a client has two same-named cookies with different domains and/or paths, do they all get deleted? For example, they were sent the following Set-Cookie headers from the example.com server: Set-Cookie: my-cookie=abc; Path=/; Domain=www.example.com Set-Cookie: my-cookie=def; Path=/client; Domain=example.com What happens if the server at example.com sends: Delete-Cookie: "my-cookie" Do they both get deleted? Nit: Section 3 says "These servers could have already deleted these same cookies by setting cookies with identical name, path and domain with an expiration date of 0." Technically, you can pass a max-age attribute of 0 and/or an Expires date in the past, ut an expires date of 0 is invalid... On Thu, Mar 20, 2025 at 2:22 AM Yoav Weiss <yoav.weiss@shopify.com> wrote: > I've published an I-D > <https://www.ietf.org/archive/id/draft-deletecookie-weiss-http-00.html> for > this. As always, feedback is very much welcome!! > > On Sun, Mar 2, 2025 at 9:51 AM Daniel Stenberg <daniel@haxx.se> wrote: > >> On Sat, 1 Mar 2025, Rory Hewitt wrote: >> >> > Do you think that the problem could be solved by a better-written spec >> or >> > does the whole cookie issue need re-doing >> >> I think the spec, including 6265bis, is generally good. I expect most of >> us >> invididually think there are details in it that can be improved but which >> spec >> is not like that? >> >> I think 6265bis is an improvement and I think it can be improved further. >> Again, like most specs. >> >> -- >> >> / daniel.haxx.se >> >> -- Rory Hewitt https://www.linkedin.com/in/roryhewitt
Received on Thursday, 20 March 2025 15:52:22 UTC