What is the current state of the Cookie2 specification?

Question

Do you have some information regarding browsers that implement/plan to implement this part of the HTTP 1.1 specification? Additionally, what frameworks have already implemented

Answer 1

Read RFC 6265 which obsoletes rfc 2965. It has advice not to use or implement cookie2

Answer 2

The current state is that most browser only fully support the initial Cookie specification by Netscape.

Set-Cookie/Cookie per RFC 2109 are only supported by some browser (I don’t know which) and Set-Cookie2/Cookie2 per RFC 2965 only by Opera.

Answer 3

Update: the Cookie2 specification never caught on, and RFC 6265 now declares it obsolete, making this question moot - though it's possibly still interesting to see a discussion of why it failed.

The answer below was written in 2009.

---

I'll mainly answer the second part.

I did some research into it recently and am now firmly of the opinion that no, it is not ready for use, and I would not use it.

Finding concrete data on the existing specification that will work with current browsers and proxies is difficult, because cookies started out as a proprietary browser extension and continue to have proprietary features added, like the most recent "http-only" flag. I think by and large the industry has continued to use this quasi "Netscape-style" mixed with RFC 2109 implementation, except with more loose rules about third-party cookies and some strange behaviour sometimes with non-quoted strings.

As for whether I find it better, a read through of the spec does certainly show its benefits - ie, the client now passes back the path, domain and port parameters as 'dollar' parameters, so a web app knows what parameters to use to delete/overwrite that cookie. The ability to store comments with the cookies will be a win for the user one day, so they get the chance to see a plain text explanation of what the cookie is for, but unless browsers start warning people about cookies, who is going to see them?

The need to send both a set-cookie and set-cookie2 header also upset the purist in me, as did the need for a client to send a Cookie2 header in addition to the Cookie header, which seemed unnecessary when I looked at it. YMMV.