* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Ticket #129 (closed design: fixed)

Opened 6 years ago

Last modified 2 years ago

List-type header fields vs Set-Cookie

Reported by: julian.reschke@gmx.de Owned by:
Priority: normal Milestone: unassigned
Component: p1-messaging Severity: Active WG Document
Keywords: Cc:
Origin: http://lists.w3.org/Archives/Public/ietf-http-wg/2008AprJun/0584.html

Description

Part 1, Section 4.2 (http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-03#section-4.2) states:

"Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. The order in which header fields with the same field-name are received is therefore significant to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded."

This is known to be incompatible with Set-Cookie as implemented in practice, as opposed as defined in RFC 2109.

In particular, Jamie Lokier points out:

RFC2109 is not implemented by anybody as far as I know.

Firstly, cookie _values_ in Set-Cookie may contain a comma which _mustn't_ be quoted because quotes are considered part of the value. When a value is unquoted, RFC2109 says it must match token syntax, but even today that's not conformed to. And RFC2109 doesn't describe an "expires=" attribute, but of course nearly all cookies have one, and they don't have the "max-age=" attribute with RFC2109 recommands. Finally, as you note, unquoted comma in expires attributes - in fact quoting is not allowed historically for that either.

See how many RFC2109 non-compliances you can find in this header I got today from Google, for example.

Set-Cookie: PREF=ID=823cb075fecf6437:TM=1195776675:LM=1195776675:S=WADqk8jBntt5y3gk; expires=Sun, 22-Nov-2009 00:11:15

(That nobody implements RFC2109 is implied in RFC2965, which obsoletes RFC2109 and in section 9 talks about using Set-Cookie2 alongside Netscape style Set-Cookies, not mentioning RFC2109 style Set-Cookiess. I think this reflects the observation at the time that the change of Set-Cookie syntax promoted in RFC2109 wasn't taken up, probably because it's not backward compatible.)

It seems to me that it would be a service to implementors to minimally add a Note pointing out this special case.

Attachments

i129.diff (3.6 KB) - added by julian.reschke@gmx.de 6 years ago.
proposed change for part 1
i129.2.diff (3.6 KB) - added by julian.reschke@gmx.de 6 years ago.
proposed change for part 1.
i129.3.diff (3.6 KB) - added by julian.reschke@gmx.de 6 years ago.
New proposed replacement text

Change History

Changed 6 years ago by julian.reschke@gmx.de

proposed change for part 1

Changed 6 years ago by julian.reschke@gmx.de

proposed change for part 1.

Changed 6 years ago by julian.reschke@gmx.de

New proposed replacement text

comment:1 Changed 6 years ago by julian.reschke@gmx.de

  • Status changed from new to closed
  • Resolution set to fixed

See [310]

comment:2 Changed 4 years ago by julian.reschke@gmx.de

  • Priority set to normal

We may want to revisit this once the new cookie spec is out; see also <http://www.ietf.org/mail-archive/web/http-state/current/msg00976.html>.

comment:3 Changed 3 years ago by mnot@pobox.com

  • Severity changed from Candidate WG Document to Active WG Document

comment:4 Changed 2 years ago by julian.reschke@gmx.de

  • Summary changed from List-type headers vs Set-Cookie to List-type header fields vs Set-Cookie
Note: See TracTickets for help on using tickets.