Closed Bug 208985 Opened 21 years ago Closed 12 years ago

Set-Cookie2: not accepted (RFC 2965)


(Core :: Networking: Cookies, enhancement)

Not set





(Reporter: kochhar, Unassigned)



(Keywords: helpwanted)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030529
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030529

Cookies can be specified by web servers using set-cookie or set-cookie2 headers.
 (The latter is the newer format.) Mozilla does not accept or return the
newer-format cookie specifications. 

Reproducible: Always

Steps to Reproduce:
1.  Install apache2 web server.
2.  Edit httpd.conf to enable cookies/user-tracking: 
    - uncomment the LoadModule usertrack_module line
    - add these 3 lines near the LogFormat definitions:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
\"Apache=%{cookie}n\""  user_tracking
CookieTracking on
CookieStyle Cookie2 
    - Change the CustomLog declaration to use the above defined log format:
CustomLog logs/access.log user_tracking

3. Run the apache server
4. Enable the cookie acceptance warning in Mozilla, and hit a couple of pages.  
Actual Results:  
If you look at the access.log file, you'll see apache sending cookies of the form:
but Mozilla doesn't recognize them.
Also, most lines have a separate Apache= cookie value since the browser isn't
returning them.
The cookies are also not visible in the cookie manager.

Expected Results:  
Prompted the user to accept the cookie, shown it in the cookie manager, and
returned it to the server.

To see the correct behavior with older-style cookies, change the httpd.conf
CookieStyle line to:
CookieStyle Cookie
and then Mozilla will recognize the cookies.
Does IE6 support Set-Cookie2?

The only related bug I could find is bug 93119, which Stephen Morse closed as
WORKSFORME.  I'm a bit confused by that resolution since I don't see any support
for Set-Cookie2 in our codebase.  I honestly don't know anything about the
Set-Cookie2 specification.  Any pointers would be appreciated.  If IE6 doesn't
support this feature then I'm not sure we should rush to support it either. 
Otherwise, this needs to be given higher priority. returns no match.
Severity: major → enhancement
Depends on: 93119
Ever confirmed: true
Whiteboard: [DUPEME?]
Target Milestone: --- → Future
set-cookie2 is specified in RFC2965. supporting it would mean a few new parser
rules and stricter version checking (to differentiate set-cookie2 cookies from
set-cookie ones), I believe.

I agree with darin, I don't think we really want to go there unless there's a
compelling feature that set-cookie2 has that its predecessor doesn't, or unless
IE supports it (which I don't think it does).
I agree that it's not an urgent need since I don't believe ie6 yet supports
these.  However, microsoft docs on .NET (I don't use it so can't confirm) do
talk about set-cookie2 support (search for 2965 on; also, python,
php, perl etc. (e.g. see, libraries
are starting to support both formats, and apache and tomcat are moving towards
recommending the newer cookie styles (currently they can be set up to server old
or new format) and there're sites that do the newer format...

I think it would be prudent to plan for eventual support, but perhaps for now a
debug/error message (or privacy icon error status) to indicate that Mozilla
recognized a set-cookie2 header, but doesn't support it would be useful --- so
one doesn't wonder why a user's preferences aren't sticking on a site???

Darin: re bug 93119, I think he marked it WFM incorrectly, so I'm flipping it
into a dupe of this bug, which has a much better discussion + server config steps.
Summary: Mozilla does not accept cookies specified via Set-Cookie2 headers → Set-Cookie2: not accepted
Whiteboard: [DUPEME?]
No longer depends on: 93119
*** Bug 93119 has been marked as a duplicate of this bug. ***
I believe IE6 works ok with Set-Cookie2 as I can succesfully login to an
Intranet host (removed: xxx) where Mozilla 20030721 fails, see the sniffer trace:

GET /sales/go/ca/emea HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b)
Gecko/20030721 Netscape7/7.1
Accept-Language: fr,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: userid=ocahagne; CP=null*; CP_GUTC=;

HTTP/1.1 200 OK
Date: Wed, 23 Jul 2003 08:02:23 GMT
Server: Apache/1.0 (Unix) ApacheJServ/1.1.2
Servlet-Engine: Tomcat Web Server/3.2.3 (JSP 1.1; Servlet 2.2; Java 1.3.1_04;
SunOS 5.8 sparc; java.vendor=Sun Microsystems Inc.)
Set-Cookie2: JSESSIONID=85tkxfgi01.SPPORTd;Version=1;Discard;Path="/sales"
Set-Cookie: JSESSIONID=85tkxfgi01.SPPORTd;Path=/sales
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1

Found these bug reports on Tomcat and e-mail for reference that may show there's
a bug with the server which mislead Mozilla ?
Summary: Set-Cookie2: not accepted → Set-Cookie2: not accepted (RFC 2965)
Set-Cookie conforming to RFC 2109 also does not work. The cookies fire the
prompt to request the user for acceptance, but the cookie is never accepted and
never visible in the cookie manager nor sent back to the server. Only cookies
conforming to the Netscape proposal are accepted. If there is a Cookie
conforimng to the Netscape proposal and a Set-Cookie is receivied for the same
cookie but conforming to RFC 2109 then the old cookie is deleted and disapears
from the cookie manager.
er, we support RFC2109. if you have a specific bug, report it and we might fix
it - general statements are useless.
So, what about this bug?
Is something going on with RFC 2965 cookies in mozilla?
> So, what about this bug?
> Is something going on with RFC 2965 cookies in mozilla?

no plans from me to implement this.
Keywords: helpwanted
okay, so let's get some more information here... i have a couple of testcases
up, one for rfc2109 (just as a reference) and one for rfc2965, to check for support:

can someone please run these past IE6, and check if the said cookies exist from

mconnor also pointed me to this URL, which has a reference for the MS .NET impl
of Set-Cookie2:
mcsmurf kindly ran those testcases past IE6 for me, and confirmed that it
doesn't handle Set-Cookie2 (in META tags, anyway).

so this looks like purely a .NET thing, for MS...
timeless tested safari 1.2.2 and opera7.50 for macosx. no go on those either.
adding dependency on bug 230933, since this will require a new cookie file
format. (this may be a reason, in future, for implementing a new fileformat, so
it's important to keep track of it.)
Depends on: 230933
OS: Windows 2000 → All
Hardware: PC → All
Assignee: darin → dveditz
Tested IE7.  Got:


    check above for "cookie2965"! 

So still not implemented in IE, it would seem.
per bug 393697, Opera apparently supports Set-Cookie2, as of 2007-08-25 if not earlier (the reporter doesn't specify the opera version).
i guess in early Firefox4 we can try to add sending "Cookie2:$Version=1" in every request headers without modifying any other cookie-related code and see what happen (*very* eXtreme Programming style):

1. FF4 easily become looking like it support Cookies2 (for servers & developers)
2. *Maybe* some servers will act with FF4 with Cookies2 and we got some error reports
3. Just fixing error reports on demand

p.s. Maybe i can add this header into my existing FF3 installation easily and try?

Assignee: dveditz → nobody
Note that RFC 2965 is now obsolete, replaced by RFC 6265.  
"In particular, in moving RFC 2965 to Historic and obsoleting it, this document [RFC 6265] deprecates the use of the Cookie2 and Set-Cookie2 header fields."  

Actually, I was searching for a different cookie bug report.  I don't really understand this one.  Thus, someone else should update the Summary.
According to comment 19 I believe this issue could be marked as WONTFIX.

Also Opera removed Cookie2 support.
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.