Return-Path: 
 <dev-return-38072-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 87962 invoked by uid 500); 3 Jun 2003 16:13:39 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Delivered-To: moderator for dev@httpd.apache.org
Received: (qmail 51524 invoked from network); 3 Jun 2003 15:04:02 -0000
Message-ID: <3EDCB893.2070600@entegrity.com>
Date: Tue, 03 Jun 2003 11:02:43 -0400
From: Ryan Eberhard <ryan.eberhard@entegrity.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
 rv:1.0.2) Gecko/20021120 Netscape/7.01
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: Bug 18388: Set-Cookie header not honored on 304 (Not modified)
 status
References: <3EDCB64E.1090301@entegrity.com>
Content-Type: multipart/alternative;
 boundary="------------050202090605020909040000"
X-MW-BTID: 090225000020031545424100000
X-MW-CTIME: 1054652640
HOP-COUNT: 1
X-MAILWATCH-INSTANCEID: 01020006c4b30040-db1d-41f5-9614-119a74bfd54c
X-OriginalArrivalTime: 03 Jun 2003 15:04:01.0318 (UTC)
 FILETIME=[5DB74C60:01C329E1]
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N


--------------050202090605020909040000
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

All,

I apologize that I didn't see the discussion that had occurred on this 
topic already...  I had previously gone through the archives, but 
neglected to before sending the previous mail.

Despite the quote from Roy Fielding, I stand by my claim that Set-Cookie 
is a response-header and not an entity-header.

Ryan Eberhard wrote:

>All,
>
>I've reopened bug 18388 with the comments below.
>
>I'd love to have a discussion about Set-Cookie's proper definition -- 
>I believe it is a response-header (and thus allowed under a 304) rather than 
>an entity-header.  Given that, the proper algorithm would be to filter out 
>known entity-headers from processing under a 304 rather than explicit listing 
>of the other header types enumerated in RFC 2616.  Set-Cookie is just one 
>example of a header that is not mentioned at all in RFC 2616 (don't know if 
>there are others).
>
>Thanks,
>Ryan Eberhard
>
>Additional comments to bug 18388:
>
>Section 10.3.5 of RFC 2616 makes this statement:
>
>   "If the conditional GET used a strong cache validator (see section
>   13.3.3), the response SHOULD NOT include other entity-headers.
>   Otherwise (i.e., the conditional GET used a weak validator), the
>   response MUST NOT include other entity-headers; this prevents
>   inconsistencies between cached entity-bodies and updated headers."
>
>Note that only entity-headers are forbidden.
>
>Section 4.2 describes three sets of headers: request (defined in 5.3), response
>(defined in section 6.2), and entity (defined in section 7.1).
>
>Each of these three sections lists headers, but "Set-Cookie" is not listed in
>any of the three sets.
>
>Section 6.2 makes this statment:
>
>   "The response-header fields allow the server to pass additional
>   information about the response which cannot be placed in the Status-
>   Line."
>
>and...
>
>   "However, new or
>   experimental header fields MAY be given the semantics of response-
>   header fields if all parties in the communication recognize them to
>   be response-header fields. Unrecognized header fields are treated as
>   entity-header fields."
>
>While section 7.1 makes this statement:
>
>   "Entity-header fields define metainformation about the entity-body or,
>   if no body is present, about the resource identified by the request."
>
>Set-Cookie meets the test of universal acceptance as a known response-header and
>is much better defined as a response-header ("additional information") than as
>an entity-header ("metainformation about the entity-body").
>
>It is also important to note that other major web servers (IIS, iPlanet, and
>Domino) will return Set-Cookie headers on a 304 status.
>
>bugzilla@apache.org wrote:
>
>>DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
>>RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
>>.
>>ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
>>INSERTED IN THE BUG DATABASE.
>>
>>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18388
>>
>>Set-Cookie header not honored on 304 (Not modified) status
>>
>>trawick@apache.org changed:
>>
>>           What    |Removed                     |Added
>>----------------------------------------------------------------------------
>>             Status|NEW                         |RESOLVED
>>         Resolution|                            |INVALID
>>
>>
>>
>>------- Additional Comments From trawick@apache.org  2003-05-31 21:10 -------
>>This has been reported before (in the old PR database, against Apache 1.3).
>>The answer, in the words of Marc Slemko, is:
>>
>>"It is not valid to set a cookie in a 304 response.  Please see section 10.3.5
>>of RFC2616.  That is the reason Apache explictly lists headers that will be sent
>>and why Set-Cookie isn't one of them."
>>
>>  
>>
>
>


--------------050202090605020909040000
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
  <title></title>
</head>
<body>
All,<br>
<br>
I apologize that I didn't see the discussion that had occurred on this topic
already... &nbsp;I had previously gone through the archives, but neglected to
before sending the previous mail.<br>
<br>
Despite the quote from Roy Fielding, I stand by my claim that Set-Cookie
is a response-header and not an entity-header.<br>
<br>
Ryan Eberhard wrote:<br>
<blockquote type="cite" cite="mid3EDCB64E.1090301@entegrity.com">     
  <meta http-equiv="Content-Type" content="text/html;">
  <title></title>
     
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
  <title></title>
               
  <pre>All,

I've reopened bug 18388 with the comments below.

I'd love to have a discussion about Set-Cookie's proper definition -- 
I believe it is a response-header (and thus allowed under a 304) rather than 
an entity-header.  Given that, the proper algorithm would be to filter out 
known entity-headers from processing under a 304 rather than explicit listing 
of the other header types enumerated in RFC 2616.  Set-Cookie is just one 
example of a header that is not mentioned at all in RFC 2616 (don't know if 
there are others).

Thanks,
Ryan Eberhard

Additional comments to bug 18388:

Section 10.3.5 of RFC 2616 makes this statement:

   "If the conditional GET used a strong cache validator (see section
   13.3.3), the response SHOULD NOT include other entity-headers.
   Otherwise (i.e., the conditional GET used a weak validator), the
   response MUST NOT include other entity-headers; this prevents
   inconsistencies between cached entity-bodies and updated headers."

Note that only entity-headers are forbidden.

Section 4.2 describes three sets of headers: request (defined in 5.3), response
(defined in section 6.2), and entity (defined in section 7.1).

Each of these three sections lists headers, but "Set-Cookie" is not listed in
any of the three sets.

Section 6.2 makes this statment:

   "The response-header fields allow the server to pass additional
   information about the response which cannot be placed in the Status-
   Line."

and...

   "However, new or
   experimental header fields MAY be given the semantics of response-
   header fields if all parties in the communication recognize them to
   be response-header fields. Unrecognized header fields are treated as
   entity-header fields."

While section 7.1 makes this statement:

   "Entity-header fields define metainformation about the entity-body or,
   if no body is present, about the resource identified by the request."

Set-Cookie meets the test of universal acceptance as a known response-header and
is much better defined as a response-header ("additional information") than as
an entity-header ("metainformation about the entity-body").

It is also important to note that other major web servers (IIS, iPlanet, and
Domino) will return Set-Cookie headers on a 304 status.

<a class="moz-txt-link-abbreviated" href="mailto:bugzilla@apache.org">bugzilla@apache.org</a> wrote:

&gt;DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
&gt;RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
&gt;<http: //nagoya.apache.org/bugzilla/show_bug.cgi?id="18388">.
&gt;ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
&gt;INSERTED IN THE BUG DATABASE.
&gt;
&gt;<a class="moz-txt-link-freetext"
 href="http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18388">http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18388</a>
&gt;
&gt;Set-Cookie header not honored on 304 (Not modified) status
&gt;
&gt;<a class="moz-txt-link-abbreviated" href="mailto:trawick@apache.org">trawick@apache.org</a> changed:
&gt;
&gt;           What    |Removed                     |Added
&gt;----------------------------------------------------------------------------
&gt;             Status|NEW                         |RESOLVED
&gt;         Resolution|                            |INVALID
&gt;
&gt;
&gt;
&gt;------- Additional Comments From <a class="moz-txt-link-abbreviated"
 href="mailto:trawick@apache.org">trawick@apache.org</a>  2003-05-31 21:10 -------
&gt;This has been reported before (in the old PR database, against Apache 1.3).
&gt;The answer, in the words of Marc Slemko, is:
&gt;
&gt;"It is not valid to set a cookie in a 304 response.  Please see section 10.3.5
&gt;of RFC2616.  That is the reason Apache explictly lists headers that will be sent
&gt;and why Set-Cookie isn't one of them."
&gt;
&gt;  
&gt;


</http:></pre>
   </blockquote>
<br>
</body>
</html>

--------------050202090605020909040000--