[FASTCGI] Cookie processing in Fast CGI

Bil Corry bil at corry.biz
Fri Dec 11 04:08:02 EST 2009

Cookies were originally created by Netscape, then RFC2109 made it a formal specification, and RFC2965 superseded RFC2109 to fix certain issues and extend the functionality.  But in practice, the browser vendors ignored all of the specifications and did their own thing, mostly driven by the behavior of other browsers along with how servers actually provided Set-Cookie.

Currently, there doesn't exist a specification for cookies that actually tells you how to implement it as to be compatible with the major UAs.  We're in midsts of forming an official IETF working group that will produce such a RFC, our mailing list and draft specification (not complete) are here:


As for Set-Cookie2, only Opera supports it (IIRC) and isn't used except by a small number of sites.  I wouldn't work too hard to support it at this time.

- Bil

Tom Bowden wrote on 12/10/2009 12:16 PM: 
> The two rfc's you mention below are for Set-Cookie and Set-Cookie2.  I
> presume the Set-Cookie2 is for sending multiple cookies in one header? 
> Is that widely accepted?
> Also -- do you know which RFC includes the Content-Disposition spec?
> On Dec 9, 2009, at 6:24 PM, Rob Lemley wrote:
>> I'd recommend having rfc2109 and rfc2965 handy.

More information about the FastCGI-developers mailing list