curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Issue with MAX_COOKIE_HEADER_LEN

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 17 May 2023 16:29:46 +0200 (CEST)

On Wed, 17 May 2023, Daniel Stenberg via curl-library wrote:

> Beyond 8K something HTTP servers are going to cause problems with their
> maximum header line lengths and then it becomes even harder to interop.

Something else struck me and here's a suitable RFC reference:

  https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.5

    To allow for better compression efficiency, the Cookie header field
    MAY be split into separate header fields, each with one or more
    cookie-pairs. If

Meaning: for outgoing requests, at least for HTTP/2, we could split the header
into multiple header lines. As long as each individual name + value pair is
shorter than 8K combined, but I presume they usually are.

This however goes directly against RFC 6265 section 5.4 which says:

    When the user agent generates an HTTP request, the user agent MUST
    NOT attach more than one Cookie header field.

(almost the exact same wording is kept in the RFC 6265bis draft-12)

It makes me suspect that doing this would introduce interop problems. :-(

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2023-05-17