Last Comment Bug 208985 - Set-Cookie2: not accepted (RFC 2965)
: Set-Cookie2: not accepted (RFC 2965)
Status: RESOLVED WONTFIX
: helpwanted
Product: Core
Classification: Components
Component: Networking: Cookies (show other bugs)
: Trunk
: All All
: -- enhancement with 7 votes (vote)
: Future
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
: 93119 393697 (view as bug list)
Depends on: 230933
Blocks:
  Show dependency treegraph
 
Reported: 2003-06-10 16:27 PDT by kochhar
Modified: 2012-06-20 20:32 PDT (History)
19 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description kochhar 2003-06-10 16:27:01 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030529
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030529

Cookies can be specified by web servers using set-cookie or set-cookie2 headers.
 (The latter is the newer format.) Mozilla does not accept or return the
newer-format cookie specifications. 

Reproducible: Always

Steps to Reproduce:
1.  Install apache2 web server.
2.  Edit httpd.conf to enable cookies/user-tracking: 
    - uncomment the LoadModule usertrack_module line
    - add these 3 lines near the LogFormat definitions:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
\"Apache=%{cookie}n\""  user_tracking
CookieTracking on
CookieStyle Cookie2 
    - Change the CustomLog declaration to use the above defined log format:
CustomLog logs/access.log user_tracking

3. Run the apache server
4. Enable the cookie acceptance warning in Mozilla, and hit a couple of pages.  
Actual Results:  
If you look at the access.log file, you'll see apache sending cookies of the form:
"Apache=192.168.0.12.1055286034869313"
but Mozilla doesn't recognize them.
Also, most lines have a separate Apache= cookie value since the browser isn't
returning them.
The cookies are also not visible in the cookie manager.

Expected Results:  
Prompted the user to accept the cookie, shown it in the cookie manager, and
returned it to the server.

To see the correct behavior with older-style cookies, change the httpd.conf
CookieStyle line to:
CookieStyle Cookie
and then Mozilla will recognize the cookies.
Comment 1 Darin Fisher 2003-06-10 17:47:59 PDT
Does IE6 support Set-Cookie2?

The only related bug I could find is bug 93119, which Stephen Morse closed as
WORKSFORME.  I'm a bit confused by that resolution since I don't see any support
for Set-Cookie2 in our codebase.  I honestly don't know anything about the
Set-Cookie2 specification.  Any pointers would be appreciated.  If IE6 doesn't
support this feature then I'm not sure we should rush to support it either. 
Otherwise, this needs to be given higher priority.

http://lxr.mozilla.org/seamonkey/search?string=set-cookie2 returns no match.
Comment 2 dwitte@gmail.com 2003-06-10 19:34:02 PDT
set-cookie2 is specified in RFC2965. supporting it would mean a few new parser
rules and stricter version checking (to differentiate set-cookie2 cookies from
set-cookie ones), I believe.

I agree with darin, I don't think we really want to go there unless there's a
compelling feature that set-cookie2 has that its predecessor doesn't, or unless
IE supports it (which I don't think it does).

http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2965.html
Comment 3 kochhar 2003-06-11 08:44:05 PDT
I agree that it's not an urgent need since I don't believe ie6 yet supports
these.  However, microsoft docs on .NET (I don't use it so can't confirm) do
talk about set-cookie2 support (search for 2965 on microsoft.com); also, python,
php, perl etc. (e.g. see http://wwwsearch.sourceforge.net/ClientCookie/,
http://www.javaworld.com/javaworld/jw-04-2002/jw-0426-cookie_p.html) libraries
are starting to support both formats, and apache and tomcat are moving towards
recommending the newer cookie styles (currently they can be set up to server old
or new format) and there're sites that do the newer format...

I think it would be prudent to plan for eventual support, but perhaps for now a
debug/error message (or privacy icon error status) to indicate that Mozilla
recognized a set-cookie2 header, but doesn't support it would be useful --- so
one doesn't wonder why a user's preferences aren't sticking on a site???


Comment 4 benc 2003-06-12 10:14:12 PDT
Darin: re bug 93119, I think he marked it WFM incorrectly, so I'm flipping it
into a dupe of this bug, which has a much better discussion + server config steps.
Comment 5 benc 2003-06-12 10:14:35 PDT
*** Bug 93119 has been marked as a duplicate of this bug. ***
Comment 6 Olivier Cahagne 2003-07-23 01:41:37 PDT
I believe IE6 works ok with Set-Cookie2 as I can succesfully login to an
Intranet host (removed: xxx) where Mozilla 20030721 fails, see the sniffer trace:

GET /sales/go/ca/emea HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b)
Gecko/20030721 Netscape7/7.1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: fr,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: userid=ocahagne; CP=null*; CP_GUTC=144.254.58.252.27624105886265048;
Trans_ID=I9$W9BOD$DBIOFWIW9I9O$Z9DAFDD9O$3C.X

HTTP/1.1 200 OK
Date: Wed, 23 Jul 2003 08:02:23 GMT
Server: Apache/1.0 (Unix) ApacheJServ/1.1.2
Servlet-Engine: Tomcat Web Server/3.2.3 (JSP 1.1; Servlet 2.2; Java 1.3.1_04;
SunOS 5.8 sparc; java.vendor=Sun Microsystems Inc.)
Set-Cookie2: JSESSIONID=85tkxfgi01.SPPORTd;Version=1;Discard;Path="/sales"
Set-Cookie: JSESSIONID=85tkxfgi01.SPPORTd;Path=/sales
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1

Found these bug reports on Tomcat and e-mail for reference that may show there's
a bug with the server which mislead Mozilla ?
http://www.caucho.com/support/resin-interest/0107/0646.html
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=343
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=5250
Comment 7 Georg Maaß 2003-08-30 09:33:42 PDT
Set-Cookie conforming to RFC 2109 also does not work. The cookies fire the
prompt to request the user for acceptance, but the cookie is never accepted and
never visible in the cookie manager nor sent back to the server. Only cookies
conforming to the Netscape proposal are accepted. If there is a Cookie
conforimng to the Netscape proposal and a Set-Cookie is receivied for the same
cookie but conforming to RFC 2109 then the old cookie is deleted and disapears
from the cookie manager.
Comment 8 dwitte@gmail.com 2003-08-30 16:18:43 PDT
er, we support RFC2109. if you have a specific bug, report it and we might fix
it - general statements are useless.
Comment 9 Norbert Pabis 2004-06-14 09:39:55 PDT
So, what about this bug?
Is something going on with RFC 2965 cookies in mozilla?
Comment 10 Darin Fisher 2004-06-15 11:06:40 PDT
> So, what about this bug?
> Is something going on with RFC 2965 cookies in mozilla?

no plans from me to implement this.
Comment 11 dwitte@gmail.com 2004-06-21 20:47:56 PDT
okay, so let's get some more information here... i have a couple of testcases
up, one for rfc2109 (just as a reference) and one for rfc2965, to check for support:

http://moneypenny.stanford.edu/mconnor/rfc2109-testcase.html
http://moneypenny.stanford.edu/mconnor/rfc2965-testcase.html

can someone please run these past IE6, and check if the said cookies exist from
moneypenny.stanford.edu?

mconnor also pointed me to this URL, which has a reference for the MS .NET impl
of Set-Cookie2:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemNetCookieClassVersionTopic.asp
Comment 12 dwitte@gmail.com 2004-06-22 02:49:28 PDT
mcsmurf kindly ran those testcases past IE6 for me, and confirmed that it
doesn't handle Set-Cookie2 (in META tags, anyway).

so this looks like purely a .NET thing, for MS...
Comment 13 dwitte@gmail.com 2004-06-22 02:56:18 PDT
timeless tested safari 1.2.2 and opera7.50 for macosx. no go on those either.
Comment 14 dwitte@gmail.com 2004-06-25 00:20:23 PDT
adding dependency on bug 230933, since this will require a new cookie file
format. (this may be a reason, in future, for implementing a new fileformat, so
it's important to keep track of it.)
Comment 15 Dan Harkless 2006-12-07 17:49:20 PST
Tested IE7.  Got:

    cookie2109=set 

    check above for "cookie2965"! 

So still not implemented in IE, it would seem.
Comment 16 Phil Ringnalda (:philor) 2007-08-25 12:23:53 PDT
*** Bug 393697 has been marked as a duplicate of this bug. ***
Comment 17 dwitte@gmail.com 2007-11-07 19:08:17 PST
per bug 393697, Opera apparently supports Set-Cookie2, as of 2007-08-25 if not earlier (the reporter doesn't specify the opera version).
Comment 18 Vyacheslav Sedov 2008-01-31 09:23:29 PST
i guess in early Firefox4 we can try to add sending "Cookie2:$Version=1" in every request headers without modifying any other cookie-related code and see what happen (*very* eXtreme Programming style):

1. FF4 easily become looking like it support Cookies2 (for servers & developers)
2. *Maybe* some servers will act with FF4 with Cookies2 and we got some error reports
3. Just fixing error reports on demand

p.s. Maybe i can add this header into my existing FF3 installation easily and try?

Comment 19 David E. Ross 2011-10-05 15:16:23 PDT
Note that RFC 2965 is now obsolete, replaced by RFC 6265.  
"In particular, in moving RFC 2965 to Historic and obsoleting it, this document [RFC 6265] deprecates the use of the Cookie2 and Set-Cookie2 header fields."  

Actually, I was searching for a different cookie bug report.  I don't really understand this one.  Thus, someone else should update the Summary.
Comment 20 Sebastian Zartner 2012-06-20 00:18:50 PDT
According to comment 19 I believe this issue could be marked as WONTFIX.

Sebastian
Comment 21 Masatoshi Kimura [:emk] 2012-06-20 20:32:48 PDT
Also Opera removed Cookie2 support.

Note You need to log in before you can comment on or make changes to this bug.