Re: Bug 18388: cookies

2004-08-31 Thread Nick Kew 
On Mon, 30 Aug 2004, Geoffrey Young wrote:

 [replying to my words - largely chopped]
  Perhaps a better approach to 304 headers would be to explicitly
  exclude entity headers as enumerated in rfc2616, rather than
  explicitly include non-entity headers?  That means the default
  for proprietary extensions (which HTTP explicitly permits) becomes
  to allow them in a 304.

 fwiw, this was discussed a few times in the archives.  the one that comes to
 mind for me is this from doug:

   http://marc.theaimsgroup.com/?l=apache-httpd-devm=99298523417784w=2

That thread seems to be the same basic issue, but with reference to
RFC1945.  2616 includes additional explanation, and seems more clearly
to support the view that not only cookies but arbitrary unknown headers
(if any) should be allowed.

In the bug report 18388,  Ryan J Eberhard wrote:
It is also important to note that all other major web servers
(IIS, iPlanet, and Domino) will return Set-Cookie headers on a
304 status.
I'm in no position to confirm or deny that, but it tends to support the
proposition, and suggest that if it caused trouble in the Real World
then we could expect to know about it.

 personally, I tend to see it more from doug and nick's perspective and would
 be inclined to fix a long-standing issue that never made sense to me, but
 roy wrote the book and has unique insight here, so...

Hmm.  Would proposing it in STATUS for a vote be appropriate here?
I think if anyone wants to veto it, we should have a reason that
addresses Doug's and Ryan's arguments on the record.

-- 
Nick Kew

Re: Bug 18388: cookies

2004-08-31 Thread Jim Jagielski 
Personally, I think that if Roy said that it would
cause non-compliance then, unless he changed his mind,
that's good enough for me to veto any change that
would add Set-Cookie.
-- 
===
   Jim Jagielski   [|]   [EMAIL PROTECTED]   [|]   http://www.jaguNET.com/
  A society that will trade a little liberty for a little order
 will lose both and deserve neither - T.Jefferson

Re: Bug 18388: cookies

2004-08-31 Thread Cliff Woolley 
On Tue, 31 Aug 2004, Jim Jagielski wrote:

 Personally, I think that if Roy said that it would
 cause non-compliance then, unless he changed his mind,
 that's good enough for me to veto any change that
 would add Set-Cookie.

I strongly agree.  Roy?

--Cliff

Re: Bug 18388: cookies

2004-08-31 Thread Roy T. Fielding 
[sent this yesterday, but it bounced]
personally, I tend to see it more from doug and nick's perspective and 
would
be inclined to fix a long-standing issue that never made sense to me, 
but
roy wrote the book and has unique insight here, so...
Umm, not really -- cookies are just broken by design.  That's why they
aren't in HTTP/1.1 and why they are not listed in 304. However, it is
kind of pointless to only partly implement them, so go ahead and add
Set-Cookie and Set-Cookie2 to the 304 list.  Both the original Netscape
spec and RFC 2965 allow Set-Cookie* to be sent on any response and
expect it to be passed along in a 304, so we might as well allow folks
to do totally moronic things with cookies.
Roy

Re: Bug 18388: cookies

2004-08-31 Thread William A. Rowe, Jr. 
At 11:53 AM 8/31/2004, Cliff Woolley wrote:
On Tue, 31 Aug 2004, Jim Jagielski wrote:

 Personally, I think that if Roy said that it would
 cause non-compliance then, unless he changed his mind,
 that's good enough for me to veto any change that
 would add Set-Cookie.

I strongly agree.  Roy?

As Roy just stated, cookies aren't in RFC 2616.  Go ahead and
apply this fix - I understand both perspectives; cookies as
connection/session/auth data, and cookies as content metadata.  
The specification is really lacking in definition/.

Bill

Bug 18388: cookies

2004-08-29 Thread Nick Kew 

Trawling through a few bugs, this one looks valid to me: namely,
Set-Cookie headers should be enabled on 304 responses.

The current behaviour has a rationale, but I believe it's incorrectly
applied.  Set-Cookie is a response header and does not affect a
cached entity body, so there's no reason to suppress it.

The patch is a one-liner.  Unless anyone can come up with a reason
why it might open a security hole, I'll apply it.

-- 
Nick Kew

Re: Bug 18388: cookies

2004-08-29 Thread Jim Jagielski 
I myself would define the cookie header as an entity header,
since it *is* meta data about the body, but I can also see
it as a more traditional response header as well.
But wouldn't adding new info about the response (either
as a response header or entity header) invalidate it
actually *being* 304 (Not Modified)? In both cases,
it *is* new information about the response, in which
case the full response has, in a sense, been
modifed?

Nick Kew wrote:
 
 
 Trawling through a few bugs, this one looks valid to me: namely,
 Set-Cookie headers should be enabled on 304 responses.
 
 The current behaviour has a rationale, but I believe it's incorrectly
 applied.  Set-Cookie is a response header and does not affect a
 cached entity body, so there's no reason to suppress it.
 
 The patch is a one-liner.  Unless anyone can come up with a reason
 why it might open a security hole, I'll apply it.
 
 -- 
 Nick Kew
 


-- 
===
   Jim Jagielski   [|]   [EMAIL PROTECTED]   [|]   http://www.jaguNET.com/
  A society that will trade a little liberty for a little order
 will lose both and deserve neither - T.Jefferson

Re: Bug 18388: cookies

2004-08-29 Thread Nick Kew 
On Sun, 29 Aug 2004, Jim Jagielski wrote:

 I myself would define the cookie header as an entity header,
 since it *is* meta data about the body, but I can also see
 it as a more traditional response header as well.
 But wouldn't adding new info about the response (either
 as a response header or entity header) invalidate it
 actually *being* 304 (Not Modified)?

Would it?  A cookie is not data about the body.  The nearest analogy
amongst headers explicitly discussed in rfc2616 is authentication,
and the relevnt authentication headers *are* returned with a 304.
So are Content-Location, ETag and Vary: surely headers that would
invalidate the 304-ness if they were to change between requests?

Perhaps a better approach to 304 headers would be to explicitly
exclude entity headers as enumerated in rfc2616, rather than
explicitly include non-entity headers?  That means the default
for proprietary extensions (which HTTP explicitly permits) becomes
to allow them in a 304.

-- 
Nick Kew

Re: Bug 18388: cookies

2004-08-29 Thread Rici Lake 
Is it metadata about the body? In many cases, a cookie is
semantically information about the session; it might have
nothing to do with the particular body at all.
On 29-Aug-04, at 5:57 PM, Jim Jagielski wrote:
I myself would define the cookie header as an entity header,
since it *is* meta data about the body, but I can also see
it as a more traditional response header as well.
But wouldn't adding new info about the response (either
as a response header or entity header) invalidate it
actually *being* 304 (Not Modified)? In both cases,
it *is* new information about the response, in which
case the full response has, in a sense, been
modifed?