[http-state] [Technical Errata Reported] RFC6265 (3430)

[RFC Errata System]

The following errata report has been submitted for RFC6265,
"HTTP State Management Mechanism".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6265&eid=3430

--------------------------------------
Type: Technical
Reported by: Zhong Yu <zhong...@gmail.com>

Section: 4.1.1

Original Text
-------------
max-age-av = "Max-Age=" non-zero-digit *DIGIT
; In practice, both expires-av and max-age-av
; are limited to dates representable by the
; user agent.
non-zero-digit = %x31-39
; digits 1 through 9


Corrected Text
--------------
max-age-av = "Max-Age=" 1*DIGIT
; In practice, both expires-av and max-age-av
; are limited to dates representable by the
; user agent.


Notes
-----
The current text forbids a server to send Max-Age=0.

Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC6265 (draft-ietf-httpstate-cookie-23)
--------------------------------------
Title : HTTP State Management Mechanism
Publication Date : April 2011
Author(s) : A. Barth
Category : PROPOSED STANDARD
Source : HTTP State Management Mechanism
Area : Applications
Stream : IETF
Verifying Party : IESG
_______________________________________________
http-state mailing list
http-...@ietf.org
https://www.ietf.org/mailman/listinfo/http-state

[Barry Leiba]

Actually, it's much worse than that: the ABNF for max-age-av does not
match the text in Section 5.2.2 at all (5.2.2 allows a "-" as well,
and values less than or equal to zero). Before verifying this, we
need to check whether things like "-1" were meant to be valid --
whether the error is only in the ABNF, or whether 5.2.2 is (also)
wrong.

The easiest fix is to make the ABNF match Section 5.2.2, which could
be done this way:

Original Text
-------------
max-age-av = "Max-Age=" non-zero-digit *DIGIT

Corrected Text
-------------
max-age-av = "Max-Age=" (DIGIT / ("-" non-zero-digit)) *DIGIT

If Section 5.2.2 correctly expresses the intent, then this seems the
right erratum. Otherwise, there is an erratum in 5.2.2.

Adam, Jeff (and others): comments? What was the intent when the text
was written?

Barry

[Dan Winship]

On 12/14/2012 09:30 AM, Barry Leiba wrote:
> Actually, it's much worse than that: the ABNF for max-age-av does not
> match the text in Section 5.2.2 at all

Yes, that's intentional, and explained in the introduction:

> To maximize interoperability with user agents, servers SHOULD limit
> themselves to the well-behaved profile defined in Section 4 when
> generating cookies.
>
> User agents MUST implement the more liberal processing rules defined
> in Section 5, in order to maximize interoperability with existing
> servers that do not conform to the well-behaved profile defined in
> Section 4.

The prohibition against "Max-Age=0" is probably because IE still doesn't
support Max-Age, so any cookie that has Max-Age but not Expires is a
session cookie in IE. That's annoying for non-zero Max-Age values (and
the spec warns about this), but Max-Age=0 would end up meaning "delete
the cookie unless the user is using IE", which is almost certainly not
what you want.

-- Dan

[Barry Leiba]

Hi, Dan.

>> Actually, it's much worse than that: the ABNF for max-age-av does not
>> match the text in Section 5.2.2 at all
>
> Yes, that's intentional, and explained in the introduction:
>
>> To maximize interoperability with user agents, servers SHOULD limit
>> themselves to the well-behaved profile defined in Section 4 when
>> generating cookies.
>>
>> User agents MUST implement the more liberal processing rules defined
>> in Section 5, in order to maximize interoperability with existing
>> servers that do not conform to the well-behaved profile defined in
>> Section 4.

Oy. Yes, as I read more, I see the various bits of this. I wish the
document had said all this in a different way, making it clearer that
the ABNF is not normative in the way it usually is.

Anyway, what this tells me is that this erratum should be "Rejected",
with an explanation related to what you sent in your message. Thanks.

Barry

[Zhong Yu]

On Mon, Dec 17, 2012 at 9:58 AM, Dan Winship <dan.w...@gmail.com> wrote:
> On 12/14/2012 09:30 AM, Barry Leiba wrote:
>> Actually, it's much worse than that: the ABNF for max-age-av does not
>> match the text in Section 5.2.2 at all
>
> Yes, that's intentional, and explained in the introduction:
>
>> To maximize interoperability with user agents, servers SHOULD limit
>> themselves to the well-behaved profile defined in Section 4 when
>> generating cookies.
>>
>> User agents MUST implement the more liberal processing rules defined
>> in Section 5, in order to maximize interoperability with existing
>> servers that do not conform to the well-behaved profile defined in
>> Section 4.
>
> The prohibition against "Max-Age=0" is probably because IE still doesn't
> support Max-Age, so any cookie that has Max-Age but not Expires is a
> session cookie in IE. That's annoying for non-zero Max-Age values (and
> the spec warns about this), but Max-Age=0 would end up meaning "delete
> the cookie unless the user is using IE", which is almost certainly not
> what you want.

Thanks Dan, so a server should avoid Max-Age all together. If a server
sets Max-Age=a few seconds, it won't be honored by IE either.

Zhong