[Mailman-Developers] cookies

Harald Meland Harald.Meland@usit.uio.no
12 May 2000 21:04:56 +0200

[Ricardo Kustner]

> you used 2 test cookies in your example, but i'm not sure if that's
> necessary...

It is once others beside me get a user database :), because then they
will have cross-list authentication using a single cookie.  In that
scenario it would be a shame if the test cookie overwrote a valid
authentication cookie for some other list.

> also, AFIAK, deleting a cookie can be done by re-setting it with an
> empty value (though i believe there are some old versions of either
> IE or Netscape which have a bug with this feature)

I'd prefer to go with the method described in RFC 2109:

4.2.2  Set-Cookie Syntax
      Optional.  The Max-Age attribute defines the lifetime of the
      cookie, in seconds.  The delta-seconds value is a decimal non-
      negative integer.  After delta-seconds seconds elapse, the client
      should discard the cookie.  A value of zero means the cookie
      should be discarded immediately.

> > Of course, if there are any (major) browsers in use out there that
> > doesn't understand Max-Age, it would be a bad idea to change Mailman.
> this is the first time I've heard about Max-Age

RFC 2109 is dated February 1997, and one of it's authors was a
Netscape employee.  I'll try issuing Cookies with Max-Age instead of
Expires for our own users, and let you know how it goes >-)