Hi Fernando, On Tue, Jul 05, 2005 at 02:33:01PM -0300, Fernando Nemec wrote: > I start to write cookie interface following rfc 2109 (2965 is on the > schedule, but I intend to finish 2109 support and then go to 2965) and > I need the list support to answer a few questions about the expected > behaviour. > > 1. Should "Version" attribute be really required as rfc 2109 says?
In general the way to answer questions like this is to follow what the RFC says unless doing so will significantly hurt interoperability with real-world servers; except when not following the RFC causes some more serious (e.g. security) issue. (this is my way of avoiding the question: I don't know the answer, you can decide for yourself :) > 2. The cookie interface should check unexpected cookie sharing > between differents domains? I ask this because as I see until now, > ne_session handle just on host a time. I think it should at minimum be able to handle a cookie "store"/cache which contains cookie from domains other than those relevant for the current session, and have logic to know to only send the appropriate cookies. > 3. What should I do when I receive a host like this: > > Domain=folha.com.br > > I know RFC 2109 says this domain will be rejected because the value > doesn't begin with a dot. In the other hand, user-agent's behaviour > follow the Postel's law and accept a domain like this one. Again - is this something that's likely to be seen in the wild? 2109 does explicitly state that such cookies are to be rejected in section 4.3.2. (Apologies if I'm slow to respond to further questions as I'm about to go away on holiday.) Regards, joe _______________________________________________ neon mailing list [email protected] http://mailman.webdav.org/mailman/listinfo/neon
