Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Issue with MAX_COOKIE_HEADER_LEN
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 17 May 2023 16:29:46 +0200 (CEST)
On Wed, 17 May 2023, Daniel Stenberg via curl-library wrote:
> Beyond 8K something HTTP servers are going to cause problems with their
> maximum header line lengths and then it becomes even harder to interop.
Something else struck me and here's a suitable RFC reference:
https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.5
To allow for better compression efficiency, the Cookie header field
MAY be split into separate header fields, each with one or more
cookie-pairs. If
Meaning: for outgoing requests, at least for HTTP/2, we could split the header
into multiple header lines. As long as each individual name + value pair is
shorter than 8K combined, but I presume they usually are.
This however goes directly against RFC 6265 section 5.4 which says:
When the user agent generates an HTTP request, the user agent MUST
NOT attach more than one Cookie header field.
(almost the exact same wording is kept in the RFC 6265bis draft-12)
It makes me suspect that doing this would introduce interop problems. :-(
Date: Wed, 17 May 2023 16:29:46 +0200 (CEST)
On Wed, 17 May 2023, Daniel Stenberg via curl-library wrote:
> Beyond 8K something HTTP servers are going to cause problems with their
> maximum header line lengths and then it becomes even harder to interop.
Something else struck me and here's a suitable RFC reference:
https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.5
To allow for better compression efficiency, the Cookie header field
MAY be split into separate header fields, each with one or more
cookie-pairs. If
Meaning: for outgoing requests, at least for HTTP/2, we could split the header
into multiple header lines. As long as each individual name + value pair is
shorter than 8K combined, but I presume they usually are.
This however goes directly against RFC 6265 section 5.4 which says:
When the user agent generates an HTTP request, the user agent MUST
NOT attach more than one Cookie header field.
(almost the exact same wording is kept in the RFC 6265bis draft-12)
It makes me suspect that doing this would introduce interop problems. :-(
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-05-17