The Haphazard Creation of the HTTP Cookie Standard
Monday, January 31st, 2011The World Wide Web was originally designed to be state-less. That is, information is not remembered between visits to various web pages, or even to the same web page. Today, of course, that is not the case, and the main mechanism for communicating between visits is the cookie, also known as a browser cookie or an HTTP cookie. Cookies contain a small amount of text data that your browser stores and sends back to the web server whenever you request a web page from that server. This permits many things, such as keeping you logged in, remembering your settings, or tracking which items you’ve looked at in an online store.
As a web developer, I know that the rules governing HTTP cookies are pretty loose. There have been some efforts to make a concrete standard, but nothing has been formally approved, and the existing IETF RFCs are taken as suggestions by browser manufacturers rather than rules. I didn’t know just how bad it was, however, until I read the linked article. Cookies were defined in a haphazard manner and have stayed that way ever since. Each browser implements cookies in a slightly different manner, and don’t even ask me about the limits on the size of individual cookies, the number of cookies per domain, the total number of cookies, and the total size of all cookies combined. The linked article says, “there is simply no accurate, official account of cookie behavior in modern browsers.” As a web developer, unfortunately, you have to go with the lowest common denominator when working with cookies. Definitely not the way to specify such an important part of the internet.
Link: http://lcamtuf.blogspot.com/…
(via Slashdot)