Alexey Zakhlestin's Blog

Programming for Mac and Web

Everything You Didn't Want to Know About Cookies


While working on my app-server code, I bumped into a need to parse (and produce) cookie-headers, so I went to look for some specs…

At first, there was Netscape and their first spec which wasn’t Y2K-compliant. Then, there was 1997 and the new spec: RFC2109 which fixed Y2K problem as well as couple of other minor issues — this is the specification which is used by the major part of browsers, these days.

Then, in the year of 2000 RFC2965, which brings some quite interesting stuff. Unfortunately, this one is not supported by any browsers but Opera. (one more bit in a pile named “Opera is the most innovative standards-compliant browser”)

mnot has a nice article about support of cookies standards by browsers.

Now, about server-side…

PHP supports RFC2109 enhanced version of the Netscape standard (as mentioned in comments) and (since 5.2) microsoft’s “http-only” extension. Python has support for 2965, but it is turned off by default. Ruby seems to support 2965, but I didn’t test it, neither found enough evidence

I wonder which way should I implement this… Should I try detecting client capabilities and send cookies in corresponding format (if there is ‘Cookie2: $Version=1’ header I use SetCookie2, else I use SetCookie)? Or should I leave the this decision to the user?