On Fri, Jan 22, 2010 at 10:45 PM, Luke Plant <l.plant...@cantab.net> wrote:
> On Saturday 23 January 2010 02:44:39 Luke Plant wrote: > > > BTW, further research shows that we are not really RFC 2109 > > compliant at all, but then again no-one is. It seems virtually > > everyone (server side and client side) is using 'Netscape style' > > cookies with some things adopted from RFC 2109 and RFC 2965, > > including 'max-age' and the use of quoted-string, but not the all > > important "Version" attribute which turns on RFC 2109 cookies. > > Hardly anyone is using Set-Cookie2 from RFC 2965. So specs of any > > kind are fairly meaningless here, it's a matter of what everyone > > does. > > Actually, to add a bit more: > > http://www.ietf.org/mail-archive/web/http-state/current/msg00078.html > http://codereview.chromium.org/17045 > > It's all pretty horrific, it pushes me back towards adding a layer of > quoting to our cookie handling just to try to avoid it all - but a > robust encoding which definitely avoids all problems. We should note > that the presence of semi-colons is more likely to cause problems than > commas - Internet Explorer splits on semi-colons, irrespective of > quotation marks. > Technically I imagine it is possible to come up with a way to encode all new cookies in a safe way, but still support "decoding" old-style cookies. That said, I have reservations about any kind of across-the-board encoding because it makes it necessary, when/if the cookies need to be read by JavaScript, to implement that same decode/encode on the client side. My personal preference would be to fix the messages implementation and add a note to the cookies documentation saying that it's "recommended to encode cookies to avoid potential browser bugs," and list off a few of those bugs. Tobias -- Tobias McNulty Caktus Consulting Group, LLC P.O. Box 1454 Carrboro, NC 27510 (919) 951-0052 http://www.caktusgroup.com -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
