RFC 6265, "HTTP State Management Mechanism", April 2011Source of RFC: httpstate (app)
Errata ID: 3663
Status: Held for Document Update
Reported By: Dave Thaler
Date Reported: 2013-06-17
Held for Document Update by: Barry Leiba
Date Held: 2013-08-07
Section 5.1.4 says:
A request-path path-matches a given cookie-path if at least one of the following conditions holds: o The cookie-path and the request-path are identical.
It should say:
A request-path path-matches a given cookie-path if at least one of the following conditions holds: o The cookie-path and the request-path are identical. Note that this differs from the rules in RFC 3986 for equivalence of the path component, and hence two equivalent paths can have different cookies.
The "identical" rule differs from the URI equivalence rule(s) in RFC 3986
sections 6.2 and 2.1 (e.g., "If two URIs differ only in the case of hexadecimal
digits used in percent-encoded octets, they are equivalent.") The fact that
equivalent URIs have different cookies arguably violates the principle of
least astonishment. To avoid significant confusion and prevent such surprise,
this fact should be noted so that it is at least not unexpected.