HTTP Working Group David M. Kristol INTERNET DRAFT Bell Laboratories, Lucent Technologies February 3, 1997 Expires August 3, 1997 HTTP State Management Mechanism (Errata) Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). This is author's draft 1.9. 1. ABSTRACT This document contains miscellaneous small wording changes and clarifications to draft-ietf-http-state-mgmt-05, the HTTP State Management Mechanism draft. 2. PROPOSED CHANGES Changes are referenced to the sections in the original document. New or changed text is shown in []'s. 4.2.2 Set-Cookie Syntax Under the heading: Comment=comment: ``Optional. Because cookies can contain private information about a user, the [Comment] attribute allows an origin server to document its intended use of a cookie....'' Under the heading: Secure: Kristol draft-ietf-http-state-mgmt-errata-00.txt [Page 1] INTERNET DRAFT HTTP State Management Mechanism (Errata)February 3, 1997 ``Optional. The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie[, to protect the confidentially and authenticity of the information in the cookie].'' 4.2.3 Controlling Caching The directive max-age=0 is necessary in the Cache-Control header to force revalidation. Therefore, two example headers must change. The example header in the second bullet should read Cache-Control: must-revalidate[, max-age=0]. The example header in the third bullet should read Cache-Control: proxy-revalidate[, max-age=0]. 4.3.2 Rejecting Cookies ``To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true [of the attributes explicitly present in the Set-Cookie response header]:...'' 10.2 Compatibility with Microsoft's Implementation [Insert new section between current sections 10.1 and 10.2.] ``Microsoft Internet Explorer (MSIE) Version 3 and earlier will fail to handle some cookies that use this specification. For example, if a server sends the following response header to MSIE V3 (omitting the line breaks): Set-cookie: xx="1=2&3-4"; Comment="blah"; Version=1; Max-Age=15552000; Path=/; Expires=Sun, 27 Apr 1997 01:16:23 GMT then MSIE V3 will send something like the following request header next time: Cookie: Max-Age=15552000 instead of the correct Cookie: xx="1=2&3-4" In other words, MSIE sends back the wrong cookie name and value.'' Kristol draft-ietf-http-state-mgmt-errata-00.txt [Page 2] INTERNET DRAFT HTTP State Management Mechanism (Errata)February 3, 1997 3. ACKNOWLEDGEMENTS The following people identified problems and/or suggested improvements in draft-ietf-http-state-mgmt-05: Anselm Baird Smith (reported by Koen Holtman), Jason Catlett, Martijn Koster (reported by Koen Holtman), Raymie Stata. 4. AUTHOR'S ADDRESS David M. Kristol Bell Laboratories, Lucent Technologies 600 Mountain Ave. Room 2A-227 Murray Hill, NJ 07974 Phone: (908) 582-2250 FAX: (908) 582-5809 Email: dmk@bell-labs.com Expires August 3, 1997 Kristol draft-ietf-http-state-mgmt-errata-00.txt [Page 3]