Cookies and RFC 6265

[LiberalArtist]

The web-server/http/cookie and web-server/http/id-cookie libraries (and, to a lesser extent, web-server/http/cookie-parse) are implemented using net/cookie, which carries a big scary warning about being deprecated in favor of net/cookies from the net-cookies package, which implements RFC 6265.

I'm not sure what the web server should do about this. For my own purposes, I've more or less implemented the API of the web-server cookie libraries using net/cookies. I'm happy to clean up and share that code, but I'm not sure if it should be a package or a contribution to the web server and, if the later, what the backwards-compatibility considerations are.

If the conclusion is that the web server should continue to provide the current libraries based on the deprecated net/cookie, it seems like the web server documentation should also note the limitations of net/cookie in appropriate places. It seems particularly relevant to web-server/http/id-cookie, as users probably want features like HttpOnly.

[jeapostrophe]

Thank you for bring this up. I think the right thing is to change the web-server to use net/cookies. I don't think there is any backwards compatibility issues, because the web-server doesn't directly promise much. If anything, I think the functions like various functions can be compatible with both when reading but only produce net/cookies values.