[AWS] Cookie Max-Age spec violation

Pascal Obry pascal at obry.net
Mon Nov 19 22:45:12 CET 2012

Previous message: [AWS] Cookie Max-Age spec violation
Next message: [AWS] Cookie Max-Age spec violation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Maciej,

> AWS uses Duration as the type for Max-Age attribute for cookies.
> This attribute is then formatted with the fraction part, so that for
> example a one-hour cookie has the attribute set as:
> 
> ...; Max-Age: 3600.00; ...
> 
> The problem is that according to this:
> 
> http://tools.ietf.org/html/rfc6265

Note also that this is a recent change:

As in RFC-2109, section 4.2.2 Set-Cookie syntax we can read:

   Max-Age=delta-seconds
      Optional.  The Max-Age attribute defines the lifetime of the
      cookie, in seconds.  The delta-seconds value is a decimal non-
      negative integer.  After delta-seconds seconds elapse, the client
      should discard the cookie.  A value of zero means the cookie
      should be discarded immediately.

Same in RFC-2616!

The full story is that RFC-6265 (2011) supersede RFC-2965 (2000) which
supersede RFC-2109 (1997) !

So in fact AWS was conformant back in 1997 and still ok in 2000 :)

-- 
  Pascal Obry /  Magny Les Hameaux (78)

  The best way to travel is by means of imagination

  http://v2p.fr.eu.org
  http://www.obry.net

  gpg --keyserver keys.gnupg.net --recv-key F949BD3B

Previous message: [AWS] Cookie Max-Age spec violation
Next message: [AWS] Cookie Max-Age spec violation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the AWS mailing list