[http-state] [Technical Errata Reported] RFC6265 (3765)
3 views
Skip to first unread message
RFC Errata System
Oct 26, 2013, 3:29:08 AM10/26/13
to aba...@eecs.berkeley.edu, barry...@computer.org, pres...@qti.qualcomm.com, Jeff....@kingsmountain.com, in...@firmen.jknaupp.de, rfc-e...@rfc-editor.org, http-...@ietf.org
The following errata report has been submitted for RFC6265,
"HTTP State Management Mechanism".
--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6265&eid=3765
--------------------------------------
Type: Technical
Reported by: Johannes Knaupp <in...@firmen.jknaupp.de>
Section: 4.1.1
Original Text
-------------
Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name. (See Section 5.2 for
how user agents handle this case.)
Corrected Text
--------------
Servers MUST NOT include more than one Set-Cookie header field in
the same response.
Notes
-----
The HTTP specification (RFC 2616) says in its section 4.2: "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. [...]"
Since the mentioned condition is not fulfilled in the case of Set-Cookie headers, only one Set-Cookie header is permissible in an HTTP message.
This also applies to the third example in section 3.1, even though it is not clearly specified there whether or not the two Set-Cookies originate from the same server response.
On the internet many HTTP messages contain multiple Set-Cookie headers, and this seems to make sense in order to avoid additional roundtrips. This, however, (1) does not match the HTTP specification, see above, and therefore (2) cannot be used with implementations stating that they were HTTP compatible and consequently only allow a single Set-Cookie header per response. Clearly, this is not a defect of those implementations, but of the specifications which are at least mistakable (if not contradictory).
Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary.
--------------------------------------
RFC6265 (draft-ietf-httpstate-cookie-23)
--------------------------------------
Title : HTTP State Management Mechanism
Publication Date : April 2011
Author(s) : A. Barth
Category : PROPOSED STANDARD
Source : HTTP State Management Mechanism
Area : Applications
Stream : IETF
Verifying Party : IESG
_______________________________________________
http-state mailing list
http-...@ietf.org
https://www.ietf.org/mailman/listinfo/http-state
"HTTP State Management Mechanism".
--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6265&eid=3765
--------------------------------------
Type: Technical
Reported by: Johannes Knaupp <in...@firmen.jknaupp.de>
Section: 4.1.1
Original Text
-------------
Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name. (See Section 5.2 for
how user agents handle this case.)
Corrected Text
--------------
Servers MUST NOT include more than one Set-Cookie header field in
the same response.
Notes
-----
The HTTP specification (RFC 2616) says in its section 4.2: "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. [...]"
Since the mentioned condition is not fulfilled in the case of Set-Cookie headers, only one Set-Cookie header is permissible in an HTTP message.
This also applies to the third example in section 3.1, even though it is not clearly specified there whether or not the two Set-Cookies originate from the same server response.
On the internet many HTTP messages contain multiple Set-Cookie headers, and this seems to make sense in order to avoid additional roundtrips. This, however, (1) does not match the HTTP specification, see above, and therefore (2) cannot be used with implementations stating that they were HTTP compatible and consequently only allow a single Set-Cookie header per response. Clearly, this is not a defect of those implementations, but of the specifications which are at least mistakable (if not contradictory).
Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary.
--------------------------------------
RFC6265 (draft-ietf-httpstate-cookie-23)
--------------------------------------
Title : HTTP State Management Mechanism
Publication Date : April 2011
Author(s) : A. Barth
Category : PROPOSED STANDARD
Source : HTTP State Management Mechanism
Area : Applications
Stream : IETF
Verifying Party : IESG
_______________________________________________
http-state mailing list
http-...@ietf.org
https://www.ietf.org/mailman/listinfo/http-state
Julian Reschke
Oct 26, 2013, 7:13:57 AM10/26/13
to RFC Errata System, aba...@eecs.berkeley.edu, barry...@computer.org, pres...@qti.qualcomm.com, Jeff....@kingsmountain.com, in...@firmen.jknaupp.de, http-...@ietf.org
On 2013-10-26 09:29, RFC Errata System wrote:
> The following errata report has been submitted for RFC6265,
> "HTTP State Management Mechanism".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=6265&eid=3765
>
> --------------------------------------
> Type: Technical
> Reported by: Johannes Knaupp <in...@firmen.jknaupp.de>
>
> Section: 4.1.1
>
> Original Text
> -------------
> Servers SHOULD NOT include more than one Set-Cookie header field in
> the same response with the same cookie-name. (See Section 5.2 for
> how user agents handle this case.)
>
>
>
> Corrected Text
> --------------
> Servers MUST NOT include more than one Set-Cookie header field in
> the same response.
> ...
> The following errata report has been submitted for RFC6265,
> "HTTP State Management Mechanism".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=6265&eid=3765
>
> --------------------------------------
> Type: Technical
> Reported by: Johannes Knaupp <in...@firmen.jknaupp.de>
>
> Section: 4.1.1
>
> Original Text
> -------------
> Servers SHOULD NOT include more than one Set-Cookie header field in
> the same response with the same cookie-name. (See Section 5.2 for
> how user agents handle this case.)
>
>
>
> Corrected Text
> --------------
> Servers MUST NOT include more than one Set-Cookie header field in
> the same response.
The spec says what it says on purpose. Changing the text as suggested
would break the cookie system.
Best regards, Julian
Barry Leiba
Oct 26, 2013, 10:07:17 AM10/26/13
to RFC Errata System, in...@firmen.jknaupp.de, pres...@qti.qualcomm.com, http-...@ietf.org, aba...@eecs.berkeley.edu
> The spec says what it says on purpose. Changing the text as suggested
> would break the cookie system.
Indeed. In particular, we know that 6265 doesn't always match up with 2616, because it's documenting how cookies are used, and the usage isn't always strictly correct.
I'll mark this one "rejected" for that reason.
Barry
Daniel Stenberg
Oct 26, 2013, 2:14:03 PM10/26/13
to Barry Leiba, in...@firmen.jknaupp.de, pres...@qti.qualcomm.com, http-...@ietf.org, aba...@eecs.berkeley.edu, RFC Errata System
wrong.
--
/ daniel.haxx.se
Reply all
Reply to author
Forward
0 new messages