"Fossies" - the Fresh Open Source Software Archive

Member "haproxy-2.0.0/doc/internals/http-cookies.txt" (16 Jun 2019, 2187 Bytes) of package /linux/misc/haproxy-2.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 2010/08/31 - HTTP Cookies - Theory and reality
    2 
    3 HTTP cookies are not uniformly supported across browsers, which makes it very
    4 hard to build a widely compatible implementation. At least four conflicting
    5 documents exist to describe how cookies should be handled, and browsers
    6 generally don't respect any but a sensibly selected mix of them :
    7 
    8   - Netscape's original spec (also mirrored at Curl's site among others) :
    9     http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html
   10     http://curl.haxx.se/rfc/cookie_spec.html
   11 
   12     Issues: uses an unquoted "Expires" field that includes a comma.
   13 
   14   - RFC 2109 :
   15     http://www.ietf.org/rfc/rfc2109.txt
   16 
   17     Issues: specifies use of "Max-Age" (not universally implemented) and does
   18             not talk about "Expires" (generally supported). References quoted
   19             strings, not generally supported (eg: MSIE). Stricter than browsers
   20             about domains. Ambiguous about allowed spaces in values and attrs.
   21 
   22   - RFC 2965 :
   23     http://www.ietf.org/rfc/rfc2965.txt
   24 
   25     Issues: same as RFC2109 + describes Set-Cookie2 which only Opera supports.
   26 
   27   - Current internet draft :
   28     https://datatracker.ietf.org/wg/httpstate/charter/
   29 
   30     Issues: as of -p10, does not explain how the Set-Cookie2 header must be
   31             emitted/handled, while suggesting a stricter approach for Cookie.
   32             Documents reality and as such reintroduces the widely used unquoted
   33             "Expires" attribute with its error-prone syntax. States that a
   34             server should not emit more than one cookie per Set-Cookie header,
   35             which is incompatible with HTTP which says that multiple headers
   36             are allowed only if they can be folded.
   37 
   38 See also the following URL for a browser * feature matrix :
   39    http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
   40 
   41 In short, MSIE and Safari neither support quoted strings nor max-age, which
   42 make it mandatory to continue to send an unquoted Expires value (maybe the
   43 day of week could be omitted though). Only Safari supports comma-separated
   44 lists of Set-Cookie headers. Support for cross-domains is not uniform either.
   45