[WEB SECURITY] sequence of cookies in a request

Evans, Arian Arian.Evans at fishnetsecurity.com
Fri Dec 2 14:15:22 EST 2005


Majority of browsers implement/follow rfc 2109 closer than 2965.

Most web servers/browsers don't follow 2965 at all (where it differs
from 2109 that is).

For the paragraph below, they are identical.

I know of no other specification for cookie sequencing, unless you
count netscapes old pre-RFC cookie paper.

-ae

> -----Original Message-----
> From: Peter Conrad [mailto:conrad at tivano.de] 
> Sent: Friday, December 02, 2005 2:49 AM
> To: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] sequence of cookies in a request
> 
> 
> Hi,
> 
> On Wed, Nov 30, 2005 at 06:27:45PM +0100, Achim Hoffmann wrote:
> > Does somebody know a paper/link where I can find a 
> definition how browsers
> > (should) send cookies?
> > 
> > In particular I'm interested in the sequence of cookies 
> (name=value pairs)
> > the browser places in the Cookie: header.
> 
> RFC 2965 Section 3.3.4:
> 
>    If multiple cookies satisfy the criteria above, they are ordered in
>    the Cookie header such that those with more specific Path 
> attributes
>    precede those with less specific.  Ordering with respect to other
>    attributes (e.g., Domain) is unspecified.
> 
> I wouldn't rely on it, though...
> 
> Bye,
> 	Peter
> -- 
> Peter Conrad                        Tel: +49 6102 / 80 99 072
> [ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
> Bahnhofstr. 18                      http://www.tivano.de/
> 63263 Neu-Isenburg
> 
> Germany
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
> 

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list