You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/06/03 15:54:16 UTC

DO NOT REPLY [Bug 18388] - Set-Cookie header not honored on 304 (Not modified) status

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18388>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18388

Set-Cookie header not honored on 304 (Not modified) status

ryan.eberhard@entegrity.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |



------- Additional Comments From ryan.eberhard@entegrity.com  2003-06-03 13:54 -------
Section 10.3.5 of RFC 2616 makes this statement:

   "If the conditional GET used a strong cache validator (see section
   13.3.3), the response SHOULD NOT include other entity-headers.
   Otherwise (i.e., the conditional GET used a weak validator), the
   response MUST NOT include other entity-headers; this prevents
   inconsistencies between cached entity-bodies and updated headers."

Note that only entity-headers are forbidden.

Section 4.2 describes three sets of headers: request (defined in 5.3), response
(defined in section 6.2), and entity (defined in section 7.1).

Each of these three sections lists headers, but "Set-Cookie" is not listed in
any of the three sets.

Section 6.2 makes this statment:

   "The response-header fields allow the server to pass additional
   information about the response which cannot be placed in the Status-
   Line."

and...

   "However, new or
   experimental header fields MAY be given the semantics of response-
   header fields if all parties in the communication recognize them to
   be response-header fields. Unrecognized header fields are treated as
   entity-header fields."

While section 7.1 makes this statement:

   "Entity-header fields define metainformation about the entity-body or,
   if no body is present, about the resource identified by the request."

Set-Cookie meets the test of universal acceptance as a known response-header and
is must better defined as a response-header ("additional information") than as
an entity-header ("metainformation about the entity-body").

It is also important to note that all other major web servers (IIS, iPlanet, and
Domino) will return Set-Cookie headers on a 304 status.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org