RFC Errata: HTTP State Management Mechanism (draft)

This page contains a draft for formal RFC errata texts related to the HTTP State Management Mechanism (RFC2109, RFC2965). The list for RFC2109 will need several parts from the list for RFC2965 (just with different section numbers), but duplicates are currently avoided in order to simplify changes.

RFC 2965, "HTTP State Management Mechanism", October 2000

Reported by: Arne Thomassen; arne@arne-thomassen.de
Date: ???

In section 1:

   The terms user agent, client, server, proxy, origin server, and
   http_URL have the same meaning as in the HTTP/1.1 specification
   [RFC2616].  The terms abs_path and absoluteURI have the same meaning
   as in the URI Syntax specification [RFC2396].

Should be:

   The terms user agent, client, server, proxy, origin server, and
   header field, and the tokens DIGIT, token, http_URL, and quoted-string
   have the same meaning as in the HTTP/1.1 specification [RFC2616].  The
   tokens abs_path and absoluteURI have the same meaning as in the URI
   Syntax specification [RFC2396].

   The grammar uses the notation from the HTTP/1.1 specification
   [RFC2616] to describe the syntax of HTTP header fields.

In section 1:

   The term effective host name is related to host name.  If a host name
   contains no dots, the effective host name is that name with the
   string .local appended to it.  Otherwise the effective host name is
   the same as the host name.  Note that all effective host names
   contain at least one dot.

Should be:

   The term effective host name is related to host name.  If a host name
   is a host domain name and contains no dots, the effective host name
   is that name with the string .local appended to it.  Otherwise the
   effective host name is the same as the host name.

In section 3.1:

   The two state management headers, Set-Cookie2 and Cookie, have common
   syntactic properties involving attribute-value pairs.  The following
   grammar uses the notation, and tokens DIGIT (decimal digits), token
   (informally, a sequence of non-special, non-white space characters),
   and http_URL from the HTTP/1.1 specification [RFC2616] to describe
   their syntax.

Should be:

   The two state management header fields Set-Cookie2 and Cookie have
   common syntactic properties involving attribute-value pairs.

In section 3.2.1:

   A user agent returns a Cookie request header (see below) to the
   origin server if it chooses to continue a session.

Should be:

   A user agent returns one or more Cookie request header fields (see
   below) to the origin server if it chooses to continue a session.

In section 3.2.2:

      confidentially and authenticity of the information in the cookie.

Should be:

      confidentiality and authenticity of the information in the cookie.

In section 3.3.4:

   3.3.4  Sending Cookies to the Origin Server  When it sends a request
   to an origin server, the user agent includes a Cookie request header
   if it has stored cookies that are applicable to the request, based on

Should be:

   3.3.4  Sending Cookies to the Origin Server  When it sends a request
   to an origin server, the user agent includes one or more Cookie
   request header fields if it has stored cookies that are applicable to
   the request, based on

In section 3.3.4:

   port            =  "$Port" [ "=" <"> value <"> ]

Should be:

   port            =  "$Port" [ "=" <"> portlist <"> ]

In section 3.3.4:

   The port attribute of the Cookie request header MUST mirror the Port
   attribute, if one was present, in the corresponding Set-Cookie2
   response header.  That is, the port attribute MUST be present if the
   Port attribute was present in the Set-Cookie2 header, and it MUST
   have the same value, if any.  Otherwise, if the Port attribute was
   absent from the Set-Cookie2 header, the attribute likewise MUST be
   omitted from the Cookie request header.

Should be:

   The port attribute of the Cookie request header field MUST be exactly
   the value of the Port attribute, if one was present, in the corre-
   sponding Set-Cookie2 response header field.  That is, the port
   attribute MUST be present if the Port attribute was present in the
   Set-Cookie2 header field, and it MUST have the same value (the exact
   character sequence), if any.  Otherwise, if the Port attribute was
   absent from the Set-Cookie2 header field, the attribute likewise MUST
   be omitted from the Cookie request header field.

In section 7.2:

         Cookie: $Version="1"; session_id="1234",
                 $Version="1"; session_id="1111"; $Domain=".cracker.edu"

Should be:

         Cookie: $Version="1"; session_id="1234"
         Cookie: $Version="1"; session_id="1111"; $Domain=".cracker.edu"

Throughout the document, "header" should be "header field", and
"headers" should be "header fields", respectively.


RFC 2109, "HTTP State Management Mechanism", February 1997

Reported by: Arne Thomassen; arne@arne-thomassen.de
Date: ???

In section 4.2.1:

   An origin server may include multiple Set-Cookie headers in a
   response.  Note that an intervening gateway could fold multiple such
   headers into a single header.

Should be:

   An origin server MAY include multiple Set-Cookie header fields in a
   response.

In section 10.1.2:

   Netscape's original proposal defined an Expires header that took a
   date value in a fixed-length variant format in place of Max-Age:

Should be:

   Netscape's original proposal defined an Expires attribute that took a
   date value in a fixed-length variant format in place of Max-Age:

In section 10.1.2, the following paragraph should be appended:

   Contrary to RFC 2616, 4.2, origin servers, proxies etc. MUST NOT
   combine Set-Cookie response header fields. This restriction is
   necessary because a Set-Cookie header field that follows Netscape's
   original proposal will contain an unquoted comma after a weekday name
   in an Expires attribute value, and existing incorrect/unaware user
   agent implementations will be confused when a comma can also mean a
   cookie separator.