Net: Update HTTP cookies to RFC 6265

[Spixmaster]

The current available versions for the HTTP Cookie are the original Netscape draft and RFC2109, both are obsoleted. The new specification RFC2965 is also obsoleted by RFC6265 which is the newest one.

I experience issues with the RFC2109 HTTP cookie in the Brave Browser while the Netscape HTTP Cookie works. However, the new specification should be followed long-term.

[matejk]

@Spixmaster , what issue in particular do you have with Poco's handling of HTTP cookies?

[Spixmaster]

Hello @matejk,

I have had this source code:

Poco::Net::HTTPCookie cookie = Poco::Net::HTTPCookie(
  Poco::Net::HTTPCookie::escape(constant::http_cookie::session::name),
  Poco::Net::HTTPCookie::escape(boost::uuids::to_string(uuid)));
cookie.setComment(Poco::Net::HTTPCookie::escape(message::http_cookie_comment::session));
cookie.setHttpOnly(true);
cookie.setMaxAge(constant::http_cookie::session::max_age);
cookie.setPath("/");
cookie.setSameSite(Poco::Net::HTTPCookie::SameSite::SAME_SITE_STRICT);
cookie.setSecure(true);
cookie.setVersion(1);

response.set_header("Set-Cookie", cookie.toString());

It compiles and is fine. However, it was not properly recognised by my browser, Brave Browser. The path was incorrectly /user from where the HTML form was sent and the duration was also not set properly. It was a session cookie. The issue was fixed by cookie.setVersion(0);. The Netscape draft is probably more compatible.

As I mentioned in the first text, there are several updated specifications which should be programmed long-term.

[github-actions]

This issue is stale because it has been open for 365 days with no activity.

[matejk]

Hi @Spixmaster , would you be willing to contribute a pull request that improves handling of cookies?

[Spixmaster]

I might have a look at it when I have some spare time which currently is not the case.

Before that I would like to clear a general question.

I think it would be best to have one HTTPCookie class which is programmed only for the newest standard. Having multiple versions in parallel causes headaches and increases maintenance needs.

Replace the old cookie with RFC6265.

[Spixmaster]

I have now decided that I do not have the time for helping with a merge request.

[obiltschnig]

After briefly looking at RFC 6265, it seems that the correct path forward would be:

• deprecate setVersion() and getVersion(), as the version field is no longer used in RFC 6265
• deprecate setComment() and getComment(), also no longer in RFC 6265
• format "version 0" cookies according to RFC 6265

This mostly comes down to fixing the case of the field names for serializing "version 0" cookies,
and include any fields not yet included, but specified in RFC 6265 in "version 0" cookies.

[obiltschnig]

#4982