<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hey Alessio,</p>
<p>Well, that's a good question. <br>
</p>
<p>I guess the first thing to notice is that JBEAP-11442 refers to
"optional support for RFC6265" in Undertow, so there's nothing
being forced on us.</p>
<p>There are 25 Resteasy JIRAs that mention cookies. <br>
</p>
<p> 1. A lot of these are old and I've ignored them. <br>
</p>
<p> 2. There are a few issues closed by me, Jim, and Rebecca that
are bug fixes, and, as such, I don't think they can cause any
problems, since they would just, if anything, bring us closer to
correct implementation of the spec (but see below).</p>
<p> 3. And then there's RESTEASY-1516 "Cookies sent by
resteasy-client are not spec compliant" (open) and the related
RESTEASY-1266 "Fix cookie processing" (closed). <br>
</p>
<p>I started to get ambitious in RESTEASY-1266 and then just did a
bug fix and closed it. That leaves RESTEASY-1516, for which I
created <a class="moz-txt-link-freetext" href="https://github.com/jax-rs/api/issues/554">https://github.com/jax-rs/api/issues/554</a> "Clarify
documentation ambiguities", which refers to
<a class="moz-txt-link-freetext" href="https://github.com/jax-rs/api/issues/435">https://github.com/jax-rs/api/issues/435</a> "<span
class="js-issue-title">Update Cookie and NewCookie to RFC 6265"</span>.
There doesn't seem to be any reaction to either of them. <br>
</p>
<p>The problem is that the JAX-RS spec (specifically
javax.ws.rs.core.Cookie and javax.ws.rs.core.NewCookie) refer to
IETF RFC 2109, which is now obsolete. It seems to me that the
Expert Group should at least do something like what Undertow is
doing, by making the Cookie spec configurable. <br>
</p>
<p>Until then, I guess the most we could do is add an option to
configure which Cookie spec to use, taking advantage of what
they've done in Undertow. I don't have any sense of how useful
that would be.</p>
<p>-Ron<br>
</p>
<div class="moz-cite-prefix">On 08/17/2017 02:37 AM, Alessio Soldano
wrote:<br>
</div>
<blockquote
cite="mid:CAKQecn_rdO9tHada7X8wgnqe0RfbnYUJPbUCFvnLRXbvPj4LXA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>Thanks for having shared this, Ron.<br>
</div>
Do you expect us having to revisit any of the decisions we
have taken so far regarding issues related to cookies?<br>
</div>
Cheers<br>
</div>
Alessio<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 17, 2017 at 2:41 AM, Ron
Sigal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rsigal@redhat.com" target="_blank">rsigal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">We've
talked in the past about the ambiguity in the JAX-RS spec<br>
concerning cookies. I just noticed this issue:<br>
<br>
<a moz-do-not-send="true"
href="https://issues.jboss.org/browse/JBEAP-11442"
rel="noreferrer" target="_blank">https://issues.jboss.org/<wbr>browse/JBEAP-11442</a>
"[GSS](7.0.z) Add<br>
optional support for RFC6265 compliant cookie validation"<br>
<br>
Not that there's anything we need to do about.I just thought
it might be<br>
worth knowing about.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
My company's smarter than your company (unless you work
for Red Hat)<br>
<br>
______________________________<wbr>_________________<br>
resteasy-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:resteasy-dev@lists.jboss.org">resteasy-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/resteasy-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/resteasy-dev</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
My company's smarter than your company (unless you work for Red Hat)</pre>
</body>
</html>