Switch to RFC 2822 expiresrfc2822_expires

2 files changed, 31 insertions, 10 deletions

diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
index 3373b111..3ffdb3a2 100644
--- a/lib/rack/utils.rb
+++ b/lib/rack/utils.rb
@@ -250,10 +250,31 @@ module Rack
         domain  = "; domain="  + value[:domain] if value[:domain]
         path    = "; path="    + value[:path]   if value[:path]
         max_age = "; max-age=" + value[:max_age] if value[:max_age]
-        # According to RFC 2109, we need dashes here.
-        # N.B.: cgi.rb uses spaces...
+        # There is an RFC mess in the area of date formatting for Cookies. Not
+        # only are there contradicting RFCs and examples within RFC text, but
+        # there are also numerous conflicting names of fields and partially
+        # cross-applicable specifications.
+        #
+        # These are best described in RFC 2616 3.3.1. This RFC text also
+        # specifies that RFC 822 as updated by RFC 1123 is preferred. That is a
+        # fixed length format with space-date delimeted fields.
+        #
+        # See also RFC 1123 section 5.2.14.
+        #
+        # RFC 6265 also specifies "sane-cookie-date" as RFC 1123 date, defined
+        # in RFC 2616 3.3.1. RFC 6265 also gives examples that clearly denote
+        # the space delimited format. These formats are compliant with RFC 2822.
+        #
+        # For reference, all involved RFCs are:
+        # RFC 822
+        # RFC 1123
+        # RFC 2109
+        # RFC 2616
+        # RFC 2822
+        # RFC 2965
+        # RFC 6265
         expires = "; expires=" +
-          rfc2109(value[:expires].clone.gmtime) if value[:expires]
+          rfc2822(value[:expires].clone.gmtime) if value[:expires]
         secure = "; secure"  if value[:secure]
         httponly = "; HttpOnly" if value[:httponly]
         value = value[:value]
diff --git a/test/spec_response.rb b/test/spec_response.rb
index ebffa733..7ba1e0e1 100644
--- a/test/spec_response.rb
+++ b/test/spec_response.rb
@@ -65,12 +65,12 @@ describe Rack::Response do
     response["Set-Cookie"].should.equal ["foo=bar; domain=sample.example.com", "foo=bar; domain=.example.com"].join("\n")
   end
 
-  it "formats the Cookie expiration date accordingly to RFC 2109" do
+  it "formats the Cookie expiration date accordingly to RFC 6265" do
     response = Rack::Response.new
 
     response.set_cookie "foo", {:value => "bar", :expires => Time.now+10}
     response["Set-Cookie"].should.match(
-      /expires=..., \d\d-...-\d\d\d\d \d\d:\d\d:\d\d .../)
+      /expires=..., \d\d ... \d\d\d\d \d\d:\d\d:\d\d .../)
   end
 
   it "can set secure cookies" do
@@ -92,7 +92,7 @@ describe Rack::Response do
     response.delete_cookie "foo"
     response["Set-Cookie"].should.equal [
       "foo2=bar2",
-      "foo=; max-age=0; expires=Thu, 01-Jan-1970 00:00:00 GMT"
+      "foo=; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000"
     ].join("\n")
   end
 
@@ -102,10 +102,10 @@ describe Rack::Response do
     response.set_cookie "foo", {:value => "bar", :domain => ".example.com"}
     response["Set-Cookie"].should.equal ["foo=bar; domain=sample.example.com", "foo=bar; domain=.example.com"].join("\n")
     response.delete_cookie "foo", :domain => ".example.com"
-    response["Set-Cookie"].should.equal ["foo=bar; domain=sample.example.com", "foo=; domain=.example.com; max-age=0; expires=Thu, 01-Jan-1970 00:00:00 GMT"].join("\n")
+    response["Set-Cookie"].should.equal ["foo=bar; domain=sample.example.com", "foo=; domain=.example.com; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000"].join("\n")
     response.delete_cookie "foo", :domain => "sample.example.com"
-    response["Set-Cookie"].should.equal ["foo=; domain=.example.com; max-age=0; expires=Thu, 01-Jan-1970 00:00:00 GMT",
-                                         "foo=; domain=sample.example.com; max-age=0; expires=Thu, 01-Jan-1970 00:00:00 GMT"].join("\n")
+    response["Set-Cookie"].should.equal ["foo=; domain=.example.com; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000",
+                                         "foo=; domain=sample.example.com; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000"].join("\n")
   end
 
   it "can delete cookies with the same name with different paths" do
@@ -117,7 +117,7 @@ describe Rack::Response do
 
     response.delete_cookie "foo", :path => "/path"
     response["Set-Cookie"].should.equal ["foo=bar; path=/",
-                                         "foo=; path=/path; max-age=0; expires=Thu, 01-Jan-1970 00:00:00 GMT"].join("\n")
+                                         "foo=; path=/path; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000"].join("\n")
   end
 
   it "can do redirects" do