| Willy Tarreau | a168b10 | 2010-08-31 19:26:56 +0200 | [diff] [blame] | 1 | 2010/08/31 - HTTP Cookies - Theory and reality |
| 2 | |
| 3 | HTTP cookies are not uniformly supported across browsers, which makes it very |
| 4 | hard to build a widely compatible implementation. At least four conflicting |
| 5 | documents exist to describe how cookies should be handled, and browsers |
| 6 | generally don't respect any but a sensibly selected mix of them : |
| 7 | |
| 8 | - Netscape's original spec (also mirrored at Curl's site among others) : |
| 9 | http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html |
| 10 | http://curl.haxx.se/rfc/cookie_spec.html |
| 11 | |
| 12 | Issues: uses an unquoted "Expires" field that includes a comma. |
| 13 | |
| 14 | - RFC 2109 : |
| 15 | http://www.ietf.org/rfc/rfc2109.txt |
| 16 | |
| 17 | Issues: specifies use of "Max-Age" (not universally implemented) and does |
| 18 | not talk about "Expires" (generally supported). References quoted |
| 19 | strings, not generally supported (eg: MSIE). Stricter than browsers |
| 20 | about domains. Ambiguous about allowed spaces in values and attrs. |
| 21 | |
| 22 | - RFC 2965 : |
| 23 | http://www.ietf.org/rfc/rfc2965.txt |
| 24 | |
| 25 | Issues: same as RFC2109 + describes Set-Cookie2 which only Opera supports. |
| 26 | |
| 27 | - Current internet draft : |
| 28 | https://datatracker.ietf.org/wg/httpstate/charter/ |
| 29 | |
| 30 | Issues: as of -p10, does not explain how the Set-Cookie2 header must be |
| 31 | emitted/handled, while suggesting a stricter approach for Cookie. |
| 32 | Documents reality and as such reintroduces the widely used unquoted |
| 33 | "Expires" attribute with its error-prone syntax. States that a |
| 34 | server should not emit more than one cookie per Set-Cookie header, |
| 35 | which is incompatible with HTTP which says that multiple headers |
| 36 | are allowed only if they can be folded. |
| 37 | |
| 38 | See also the following URL for a browser * feature matrix : |
| 39 | http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies |
| 40 | |
| 41 | In short, MSIE and Safari neither support quoted strings nor max-age, which |
| 42 | make it mandatory to continue to send an unquoted Expires value (maybe the |
| 43 | day of week could be omitted though). Only Safari supports comma-separated |
| 44 | lists of Set-Cookie headers. Support for cross-domains is not uniform either. |
| 45 | |