Fwd: Safari cookie bug affects multi-cookie sessions

[David Underhill]

Jeremy stumbled on an unfortunate bug in Safari which gae-sessions users should be aware of.  If you use cookie-only sessions which don't fit in just a single cookie (more than about 4kB of session data) then Safari may randomly drop one of the cookies (breaking the session as Jeremy describes below).

If your session fits in one cookie (which I expect is the case for most sites) then you don't have to worry about this Safari bug.  Otherwise, you might want to consider turning cookie-only sessions off (preferably just for Safari users since cookie-only sessions are much faster and can still be enjoyed by all other major browsers including IE, Firefox, Chrome, etc.).

~ David

---------- Forwarded message ----------
From: Jeremy Dunck <jdu...@gmail.com>
Date: Fri, Nov 19, 2010 at 15:59
To: David Underhill <d...@cs.stanford.edu>

It seems that in Safari 5, something is causing cookies to be dropped.
I'm issuing 2 cookies totalling about 6K.   Using Wireshark, I see
that the cookie is issued to the browser, but Safari is dropping it.
The same scenario works in Chrome 7.

I think it may actually be this:
https://bugs.webkit.org/show_bug.cgi?id=3512

I'm attaching a Wireshark trace that shows DguU00 being dropped for no
apparent reason.

Not opening a gae-sessions ticket since it doesn't appear to be your
fault.  Even so, a comment about this might help others avoid.