What is the current state of the Cookie2 specification?

前端 未结 3 947
一个人的身影
一个人的身影 2021-02-13 15:40

Do you have some information regarding browsers that implement/plan to implement this part of the HTTP 1.1 specification? Additionally, what frameworks have already implemented

相关标签:
3条回答
  • 2021-02-13 16:13

    Read RFC 6265 which obsoletes rfc 2965. It has advice not to use or implement cookie2

    0 讨论(0)
  • 2021-02-13 16:13

    The current state is that most browser only fully support the initial Cookie specification by Netscape.

    Set-Cookie/Cookie per RFC 2109 are only supported by some browser (I don’t know which) and Set-Cookie2/Cookie2 per RFC 2965 only by Opera.

    0 讨论(0)
  • 2021-02-13 16:31

    Update: the Cookie2 specification never caught on, and RFC 6265 now declares it obsolete, making this question moot - though it's possibly still interesting to see a discussion of why it failed.

    The answer below was written in 2009.


    I'll mainly answer the second part.

    I did some research into it recently and am now firmly of the opinion that no, it is not ready for use, and I would not use it.

    Finding concrete data on the existing specification that will work with current browsers and proxies is difficult, because cookies started out as a proprietary browser extension and continue to have proprietary features added, like the most recent "http-only" flag. I think by and large the industry has continued to use this quasi "Netscape-style" mixed with RFC 2109 implementation, except with more loose rules about third-party cookies and some strange behaviour sometimes with non-quoted strings.

    As for whether I find it better, a read through of the spec does certainly show its benefits - ie, the client now passes back the path, domain and port parameters as 'dollar' parameters, so a web app knows what parameters to use to delete/overwrite that cookie. The ability to store comments with the cookies will be a win for the user one day, so they get the chance to see a plain text explanation of what the cookie is for, but unless browsers start warning people about cookies, who is going to see them?

    The need to send both a set-cookie and set-cookie2 header also upset the purist in me, as did the need for a client to send a Cookie2 header in addition to the Cookie header, which seemed unnecessary when I looked at it. YMMV.

    0 讨论(0)
提交回复
热议问题