daniel:// stenberg://

1 year ago

daniel:// stenberg://
1 year ago

The rfc6265bis document - the updated #cookie spec - is now in draft-14: ietf.org/archive/id/draft-ietf…

It has been in the works for almost a decade by now!

Cookies: HTTP State Management Mechanism

This document defines the HTTP Cookie and Set-Cookie header fields. These header fields can be used by HTTP servers to store state (called cookies) at HTTP user agents, letting the servers maintain a stateful session over the mostly stateless HTTP pr…

^www.ietf.org

#cookie

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 year ago

a fun change in this draft compared to the RFC:

"The user agent MUST limit the maximum value of the Max-Age attribute. The limit SHOULD NOT be greater than 400 days (34560000 seconds) in duration. The RECOMMENDED limit is 400 days in duration, but the user agent MAY adjust the limit. Max-Age attributes that are greater than the limit MUST be reduced to the limit."

This entry was edited (1 year ago)

in reply to daniel:// stenberg://

Stefan Eissing

in reply to daniel:// stenberg:// 1 year ago

400, hu? So that cookies from Santa Claus have a chance to still be there next year?

in reply to Stefan Eissing

daniel:// stenberg://

in reply to Stefan Eissing 1 year ago

"Why 400 days? The goal was to get close to 13 months so that functions one might perform annually (e.g., selecting insurance benefits for the next year) would work even as specific dates varied slightly"

(quote from the original PR with text that was eventually merged)

github.com/httpwg/http-extensi…

Standardize maximum Expires/Max-Age by arichiv · Pull Request #1732 · httpwg/http-extensions

The current spec is ambiguous on (1) what the maximum Expires/Max-Age attribute values can be and (2) whether the two must be consistent. This resolves both by requiring: The maximum attribute val...

^GitHub

This entry was edited (1 year ago)

in reply to daniel:// stenberg://

Stefan Eissing

in reply to daniel:// stenberg:// 1 year ago

So it was Santa Claus!😌

in reply to daniel:// stenberg://

Stefan Eissing

in reply to daniel:// stenberg:// 1 year ago

finally people will be able to use cookies!

in reply to Stefan Eissing

daniel:// stenberg://

in reply to Stefan Eissing 1 year ago

this is certainly not making cookies simpler...

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 year ago

my own little contrib that shows in -14 came via this: github.com/httpwg/http-extensi…

Multiple Cookie: headers vs RFC 9113 · Issue #2541 · httpwg/http-extensions

In the original 6265 as well as in the latest 6265bis draft, this paragraph exists: When the user agent generates an HTTP request, the user agent MUST NOT attach more than one Cookie header field. ...

^GitHub

in reply to daniel:// stenberg://

Koos van den Hout

in reply to daniel:// stenberg:// 1 year ago

still with wildcard cookies (those for .example.com that match *.example.com). I really do wonder what the use-cases for those are that don't involve tracking for advertising.

in reply to Koos van den Hout

daniel:// stenberg://

in reply to Koos van den Hout 1 year ago

@KHoos cookies are basically always wildcard since they tailmatch. They were made to work like that in the 90s, long before cookies tracked users. Also, without "third party cookies", it is hard to see how they can actually track users successfully.

@Koos van den Hout

in reply to daniel:// stenberg://

jub0bs

in reply to daniel:// stenberg:// 1 year ago

@KHoos I'm not sure what you mean by "cookies are basically always wildcard since they tailmatch"... 🤔

A cookie's Domain attribute determines its scope. In the case of a cookie set without a Domain attribute, browsers only include it in requests to the host that set it.

Am I missing something?

@Koos van den Hout

This entry was edited (1 year ago)

in reply to jub0bs

daniel:// stenberg://

in reply to jub0bs 1 year ago

@jub0bs @KHoos sure, but the domain property always existed and has been used widely since the beginning

@Koos van den Hout @jub0bs

Unknown parent

daniel:// stenberg://

Unknown parent 1 year ago

@jeroen @KHoos if you use Chrome you will never escape being tracked. That's unrelated to cookies.

@Jeroen Massar @Koos van den Hout

⇧

daniel:// stenberg:// 1 year ago • •

daniel:// stenberg://
1 year ago