13

Do you have some information regarding browsers that implement/plan to implement this part of the HTTP 1.1 specification? Additionally, what frameworks have already implemented this feature. I've done my Google research but I'd like to know if there's something else.

Also, do/would you use it? Do you find it better than the Cookie/Set-Cookie implementation?

bignose
  • 30,281
  • 14
  • 77
  • 110
Ionuț G. Stan
  • 176,118
  • 18
  • 189
  • 202

3 Answers3

15

Update: the Cookie2 specification never caught on, and RFC 6265 now declares it obsolete, making this question moot - though it's possibly still interesting to see a discussion of why it failed.

The answer below was written in 2009.

I'll mainly answer the second part.

I did some research into it recently and am now firmly of the opinion that no, it is not ready for use, and I would not use it.

Finding concrete data on the existing specification that will work with current browsers and proxies is difficult, because cookies started out as a proprietary browser extension and continue to have proprietary features added, like the most recent "http-only" flag. I think by and large the industry has continued to use this quasi "Netscape-style" mixed with RFC 2109 implementation, except with more loose rules about third-party cookies and some strange behaviour sometimes with non-quoted strings.

As for whether I find it better, a read through of the spec does certainly show its benefits - ie, the client now passes back the path, domain and port parameters as 'dollar' parameters, so a web app knows what parameters to use to delete/overwrite that cookie. The ability to store comments with the cookies will be a win for the user one day, so they get the chance to see a plain text explanation of what the cookie is for, but unless browsers start warning people about cookies, who is going to see them?

The need to send both a set-cookie and set-cookie2 header also upset the purist in me, as did the need for a client to send a Cookie2 header in addition to the Cookie header, which seemed unnecessary when I looked at it. YMMV.

thomasrutter
  • 114,488
  • 30
  • 148
  • 167
  • I accepted this answer as it conveys much of the essence of the Cookie2 specification in a few lines. – Ionuț G. Stan Mar 01 '09 at 19:31
  • 1
    > The ability to store comments with the cookies will be a win for the user one day really ? i think it would be abused by phish-sites and other malware – Arioch Feb 19 '11 at 02:57
  • Today, sites are now showing cookie consent popups, all home baked by the individual website. Imagine if there were web standards that covered cookies and consent and it could be baked into web browsers and allow users to have their preference remembered between sites, instead of every site having a popup that works differently? – thomasrutter Dec 08 '21 at 04:34
10

Read RFC 6265 which obsoletes rfc 2965. It has advice not to use or implement cookie2

phorgan1
  • 1,664
  • 18
  • 18
  • More specifically, RFC 6265 page 34 explicitly calls Cookie2/Set-Cookie2 "obsoleted". http://tools.ietf.org/html/rfc6265#page-34 – lambshaanxy Nov 29 '12 at 10:59
3

The current state is that most browser only fully support the initial Cookie specification by Netscape.

Set-Cookie/Cookie per RFC 2109 are only supported by some browser (I don’t know which) and Set-Cookie2/Cookie2 per RFC 2965 only by Opera.

Community
  • 1
  • 1
Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • Yes, that's right. But my Google Code search revealed that some frameworks took care to implement this specification despite its support in current browsers. – Ionuț G. Stan Feb 26 '09 at 12:13