doc/internals/http-cookies.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

2010/08/31 - HTTP Cookies - Theory and reality

HTTP cookies are not uniformly supported across browsers, which makes it very
hard to build a widely compatible implementation. At least four conflicting
documents exist to describe how cookies should be handled, and browsers
generally don't respect any but a sensibly selected mix of them :

  - Netscape's original spec (also mirrored at Curl's site among others) :
    http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html
    http://curl.haxx.se/rfc/cookie_spec.html

    Issues: uses an unquoted "Expires" field that includes a comma.

  - RFC 2109 :
    http://www.ietf.org/rfc/rfc2109.txt

    Issues: specifies use of "Max-Age" (not universally implemented) and does
            not talk about "Expires" (generally supported). References quoted
            strings, not generally supported (eg: MSIE). Stricter than browsers
            about domains. Ambiguous about allowed spaces in values and attrs.

  - RFC 2965 :
    http://www.ietf.org/rfc/rfc2965.txt

    Issues: same as RFC2109 + describes Set-Cookie2 which only Opera supports.

  - Current internet draft :
    https://datatracker.ietf.org/wg/httpstate/charter/

    Issues: as of -p10, does not explain how the Set-Cookie2 header must be
            emitted/handled, while suggesting a stricter approach for Cookie.
            Documents reality and as such reintroduces the widely used unquoted
            "Expires" attribute with its error-prone syntax. States that a
            server should not emit more than one cookie per Set-Cookie header,
            which is incompatible with HTTP which says that multiple headers
            are allowed only if they can be folded.

See also the following URL for a browser * feature matrix :
   http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies

In short, MSIE and Safari neither support quoted strings nor max-age, which
make it mandatory to continue to send an unquoted Expires value (maybe the
day of week could be omitted though). Only Safari supports comma-separated
lists of Set-Cookie headers. Support for cross-domains is not uniform either.