add rfc spec · jon.recoil.org/ocaml-cookeio@1a6994b

jon.recoil.org / ocaml-cookeio

forked from anil.recoil.org/ocaml-cookeio

fork atom

OCaml HTTP cookie handling library with support for Eio-based storage jars

fork atom

add rfc spec

anil.recoil.org 3 months ago 1a6994b9 dd4af50b

+2075

1 changed file

expand all

unified split

spec

rfc6265.txt

+2075

spec/rfc6265.txt

··· 1 + 2 + 3 + 4 + 5 + 6 + 7 + Internet Engineering Task Force (IETF) A. Barth 8 + Request for Comments: 6265 U.C. Berkeley 9 + Obsoletes: 2965 April 2011 10 + Category: Standards Track 11 + ISSN: 2070-1721 12 + 13 + 14 + HTTP State Management Mechanism 15 + 16 + Abstract 17 + 18 + This document defines the HTTP Cookie and Set-Cookie header fields. 19 + These header fields can be used by HTTP servers to store state 20 + (called cookies) at HTTP user agents, letting the servers maintain a 21 + stateful session over the mostly stateless HTTP protocol. Although 22 + cookies have many historical infelicities that degrade their security 23 + and privacy, the Cookie and Set-Cookie header fields are widely used 24 + on the Internet. This document obsoletes RFC 2965. 25 + 26 + Status of This Memo 27 + 28 + This is an Internet Standards Track document. 29 + 30 + This document is a product of the Internet Engineering Task Force 31 + (IETF). It represents the consensus of the IETF community. It has 32 + received public review and has been approved for publication by the 33 + Internet Engineering Steering Group (IESG). Further information on 34 + Internet Standards is available in Section 2 of RFC 5741. 35 + 36 + Information about the current status of this document, any errata, 37 + and how to provide feedback on it may be obtained at 38 + http://www.rfc-editor.org/info/rfc6265. 39 + 40 + Copyright Notice 41 + 42 + Copyright (c) 2011 IETF Trust and the persons identified as the 43 + document authors. All rights reserved. 44 + 45 + This document is subject to BCP 78 and the IETF Trust's Legal 46 + Provisions Relating to IETF Documents 47 + (http://trustee.ietf.org/license-info) in effect on the date of 48 + publication of this document. Please review these documents 49 + carefully, as they describe your rights and restrictions with respect 50 + to this document. Code Components extracted from this document must 51 + include Simplified BSD License text as described in Section 4.e of 52 + the Trust Legal Provisions and are provided without warranty as 53 + described in the Simplified BSD License. 54 + 55 + 56 + 57 + 58 + Barth Standards Track [Page 1] 59 + 60 + RFC 6265 HTTP State Management Mechanism April 2011 61 + 62 + 63 + This document may contain material from IETF Documents or IETF 64 + Contributions published or made publicly available before November 65 + 10, 2008. The person(s) controlling the copyright in some of this 66 + material may not have granted the IETF Trust the right to allow 67 + modifications of such material outside the IETF Standards Process. 68 + Without obtaining an adequate license from the person(s) controlling 69 + the copyright in such materials, this document may not be modified 70 + outside the IETF Standards Process, and derivative works of it may 71 + not be created outside the IETF Standards Process, except to format 72 + it for publication as an RFC or to translate it into languages other 73 + than English. 74 + 75 + Table of Contents 76 + 77 + 1. Introduction ....................................................3 78 + 2. Conventions .....................................................4 79 + 2.1. Conformance Criteria .......................................4 80 + 2.2. Syntax Notation ............................................5 81 + 2.3. Terminology ................................................5 82 + 3. Overview ........................................................6 83 + 3.1. Examples ...................................................6 84 + 4. Server Requirements .............................................8 85 + 4.1. Set-Cookie .................................................8 86 + 4.1.1. Syntax ..............................................8 87 + 4.1.2. Semantics (Non-Normative) ..........................10 88 + 4.2. Cookie ....................................................13 89 + 4.2.1. Syntax .............................................13 90 + 4.2.2. Semantics ..........................................13 91 + 5. User Agent Requirements ........................................14 92 + 5.1. Subcomponent Algorithms ...................................14 93 + 5.1.1. Dates ..............................................14 94 + 5.1.2. Canonicalized Host Names ...........................16 95 + 5.1.3. Domain Matching ....................................16 96 + 5.1.4. Paths and Path-Match ...............................16 97 + 5.2. The Set-Cookie Header .....................................17 98 + 5.2.1. The Expires Attribute ..............................19 99 + 5.2.2. The Max-Age Attribute ..............................20 100 + 5.2.3. The Domain Attribute ...............................20 101 + 5.2.4. The Path Attribute .................................21 102 + 5.2.5. The Secure Attribute ...............................21 103 + 5.2.6. The HttpOnly Attribute .............................21 104 + 5.3. Storage Model .............................................21 105 + 5.4. The Cookie Header .........................................25 106 + 6. Implementation Considerations ..................................27 107 + 6.1. Limits ....................................................27 108 + 6.2. Application Programming Interfaces ........................27 109 + 6.3. IDNA Dependency and Migration .............................27 110 + 7. Privacy Considerations .........................................28 111 + 112 + 113 + 114 + Barth Standards Track [Page 2] 115 + 116 + RFC 6265 HTTP State Management Mechanism April 2011 117 + 118 + 119 + 7.1. Third-Party Cookies .......................................28 120 + 7.2. User Controls .............................................28 121 + 7.3. Expiration Dates ..........................................29 122 + 8. Security Considerations ........................................29 123 + 8.1. Overview ..................................................29 124 + 8.2. Ambient Authority .........................................30 125 + 8.3. Clear Text ................................................30 126 + 8.4. Session Identifiers .......................................31 127 + 8.5. Weak Confidentiality ......................................32 128 + 8.6. Weak Integrity ............................................32 129 + 8.7. Reliance on DNS ...........................................33 130 + 9. IANA Considerations ............................................33 131 + 9.1. Cookie ....................................................34 132 + 9.2. Set-Cookie ................................................34 133 + 9.3. Cookie2 ...................................................34 134 + 9.4. Set-Cookie2 ...............................................34 135 + 10. References ....................................................35 136 + 10.1. Normative References .....................................35 137 + 10.2. Informative References ...................................35 138 + Appendix A. Acknowledgements ......................................37 139 + 140 + 1. Introduction 141 + 142 + This document defines the HTTP Cookie and Set-Cookie header fields. 143 + Using the Set-Cookie header field, an HTTP server can pass name/value 144 + pairs and associated metadata (called cookies) to a user agent. When 145 + the user agent makes subsequent requests to the server, the user 146 + agent uses the metadata and other information to determine whether to 147 + return the name/value pairs in the Cookie header. 148 + 149 + Although simple on their surface, cookies have a number of 150 + complexities. For example, the server indicates a scope for each 151 + cookie when sending it to the user agent. The scope indicates the 152 + maximum amount of time in which the user agent should return the 153 + cookie, the servers to which the user agent should return the cookie, 154 + and the URI schemes for which the cookie is applicable. 155 + 156 + For historical reasons, cookies contain a number of security and 157 + privacy infelicities. For example, a server can indicate that a 158 + given cookie is intended for "secure" connections, but the Secure 159 + attribute does not provide integrity in the presence of an active 160 + network attacker. Similarly, cookies for a given host are shared 161 + across all the ports on that host, even though the usual "same-origin 162 + policy" used by web browsers isolates content retrieved via different 163 + ports. 164 + 165 + There are two audiences for this specification: developers of cookie- 166 + generating servers and developers of cookie-consuming user agents. 167 + 168 + 169 + 170 + Barth Standards Track [Page 3] 171 + 172 + RFC 6265 HTTP State Management Mechanism April 2011 173 + 174 + 175 + To maximize interoperability with user agents, servers SHOULD limit 176 + themselves to the well-behaved profile defined in Section 4 when 177 + generating cookies. 178 + 179 + User agents MUST implement the more liberal processing rules defined 180 + in Section 5, in order to maximize interoperability with existing 181 + servers that do not conform to the well-behaved profile defined in 182 + Section 4. 183 + 184 + This document specifies the syntax and semantics of these headers as 185 + they are actually used on the Internet. In particular, this document 186 + does not create new syntax or semantics beyond those in use today. 187 + The recommendations for cookie generation provided in Section 4 188 + represent a preferred subset of current server behavior, and even the 189 + more liberal cookie processing algorithm provided in Section 5 does 190 + not recommend all of the syntactic and semantic variations in use 191 + today. Where some existing software differs from the recommended 192 + protocol in significant ways, the document contains a note explaining 193 + the difference. 194 + 195 + Prior to this document, there were at least three descriptions of 196 + cookies: the so-called "Netscape cookie specification" [Netscape], 197 + RFC 2109 [RFC2109], and RFC 2965 [RFC2965]. However, none of these 198 + documents describe how the Cookie and Set-Cookie headers are actually 199 + used on the Internet (see [Kri2001] for historical context). In 200 + relation to previous IETF specifications of HTTP state management 201 + mechanisms, this document requests the following actions: 202 + 203 + 1. Change the status of [RFC2109] to Historic (it has already been 204 + obsoleted by [RFC2965]). 205 + 206 + 2. Change the status of [RFC2965] to Historic. 207 + 208 + 3. Indicate that [RFC2965] has been obsoleted by this document. 209 + 210 + In particular, in moving RFC 2965 to Historic and obsoleting it, this 211 + document deprecates the use of the Cookie2 and Set-Cookie2 header 212 + fields. 213 + 214 + 2. Conventions 215 + 216 + 2.1. Conformance Criteria 217 + 218 + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 219 + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 220 + document are to be interpreted as described in [RFC2119]. 221 + 222 + 223 + 224 + 225 + 226 + Barth Standards Track [Page 4] 227 + 228 + RFC 6265 HTTP State Management Mechanism April 2011 229 + 230 + 231 + Requirements phrased in the imperative as part of algorithms (such as 232 + "strip any leading space characters" or "return false and abort these 233 + steps") are to be interpreted with the meaning of the key word 234 + ("MUST", "SHOULD", "MAY", etc.) used in introducing the algorithm. 235 + 236 + Conformance requirements phrased as algorithms or specific steps can 237 + be implemented in any manner, so long as the end result is 238 + equivalent. In particular, the algorithms defined in this 239 + specification are intended to be easy to understand and are not 240 + intended to be performant. 241 + 242 + 2.2. Syntax Notation 243 + 244 + This specification uses the Augmented Backus-Naur Form (ABNF) 245 + notation of [RFC5234]. 246 + 247 + The following core rules are included by reference, as defined in 248 + [RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF 249 + (CR LF), CTLs (controls), DIGIT (decimal 0-9), DQUOTE (double quote), 250 + HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), NUL (null octet), 251 + OCTET (any 8-bit sequence of data except NUL), SP (space), HTAB 252 + (horizontal tab), CHAR (any [USASCII] character), VCHAR (any visible 253 + [USASCII] character), and WSP (whitespace). 254 + 255 + The OWS (optional whitespace) rule is used where zero or more linear 256 + whitespace characters MAY appear: 257 + 258 + OWS = *( [ obs-fold ] WSP ) 259 + ; "optional" whitespace 260 + obs-fold = CRLF 261 + 262 + OWS SHOULD either not be produced or be produced as a single SP 263 + character. 264 + 265 + 2.3. Terminology 266 + 267 + The terms user agent, client, server, proxy, and origin server have 268 + the same meaning as in the HTTP/1.1 specification ([RFC2616], Section 269 + 1.3). 270 + 271 + The request-host is the name of the host, as known by the user agent, 272 + to which the user agent is sending an HTTP request or from which it 273 + is receiving an HTTP response (i.e., the name of the host to which it 274 + sent the corresponding HTTP request). 275 + 276 + The term request-uri is defined in Section 5.1.2 of [RFC2616]. 277 + 278 + 279 + 280 + 281 + 282 + Barth Standards Track [Page 5] 283 + 284 + RFC 6265 HTTP State Management Mechanism April 2011 285 + 286 + 287 + Two sequences of octets are said to case-insensitively match each 288 + other if and only if they are equivalent under the i;ascii-casemap 289 + collation defined in [RFC4790]. 290 + 291 + The term string means a sequence of non-NUL octets. 292 + 293 + 3. Overview 294 + 295 + This section outlines a way for an origin server to send state 296 + information to a user agent and for the user agent to return the 297 + state information to the origin server. 298 + 299 + To store state, the origin server includes a Set-Cookie header in an 300 + HTTP response. In subsequent requests, the user agent returns a 301 + Cookie request header to the origin server. The Cookie header 302 + contains cookies the user agent received in previous Set-Cookie 303 + headers. The origin server is free to ignore the Cookie header or 304 + use its contents for an application-defined purpose. 305 + 306 + Origin servers MAY send a Set-Cookie response header with any 307 + response. User agents MAY ignore Set-Cookie headers contained in 308 + responses with 100-level status codes but MUST process Set-Cookie 309 + headers contained in other responses (including responses with 400- 310 + and 500-level status codes). An origin server can include multiple 311 + Set-Cookie header fields in a single response. The presence of a 312 + Cookie or a Set-Cookie header field does not preclude HTTP caches 313 + from storing and reusing a response. 314 + 315 + Origin servers SHOULD NOT fold multiple Set-Cookie header fields into 316 + a single header field. The usual mechanism for folding HTTP headers 317 + fields (i.e., as defined in [RFC2616]) might change the semantics of 318 + the Set-Cookie header field because the %x2C (",") character is used 319 + by Set-Cookie in a way that conflicts with such folding. 320 + 321 + 3.1. Examples 322 + 323 + Using the Set-Cookie header, a server can send the user agent a short 324 + string in an HTTP response that the user agent will return in future 325 + HTTP requests that are within the scope of the cookie. For example, 326 + the server can send the user agent a "session identifier" named SID 327 + with the value 31d4d96e407aad42. The user agent then returns the 328 + session identifier in subsequent requests. 329 + 330 + 331 + 332 + 333 + 334 + 335 + 336 + 337 + 338 + Barth Standards Track [Page 6] 339 + 340 + RFC 6265 HTTP State Management Mechanism April 2011 341 + 342 + 343 + == Server -> User Agent == 344 + 345 + Set-Cookie: SID=31d4d96e407aad42 346 + 347 + == User Agent -> Server == 348 + 349 + Cookie: SID=31d4d96e407aad42 350 + 351 + The server can alter the default scope of the cookie using the Path 352 + and Domain attributes. For example, the server can instruct the user 353 + agent to return the cookie to every path and every subdomain of 354 + example.com. 355 + 356 + == Server -> User Agent == 357 + 358 + Set-Cookie: SID=31d4d96e407aad42; Path=/; Domain=example.com 359 + 360 + == User Agent -> Server == 361 + 362 + Cookie: SID=31d4d96e407aad42 363 + 364 + As shown in the next example, the server can store multiple cookies 365 + at the user agent. For example, the server can store a session 366 + identifier as well as the user's preferred language by returning two 367 + Set-Cookie header fields. Notice that the server uses the Secure and 368 + HttpOnly attributes to provide additional security protections for 369 + the more sensitive session identifier (see Section 4.1.2.) 370 + 371 + == Server -> User Agent == 372 + 373 + Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly 374 + Set-Cookie: lang=en-US; Path=/; Domain=example.com 375 + 376 + == User Agent -> Server == 377 + 378 + Cookie: SID=31d4d96e407aad42; lang=en-US 379 + 380 + Notice that the Cookie header above contains two cookies, one named 381 + SID and one named lang. If the server wishes the user agent to 382 + persist the cookie over multiple "sessions" (e.g., user agent 383 + restarts), the server can specify an expiration date in the Expires 384 + attribute. Note that the user agent might delete the cookie before 385 + the expiration date if the user agent's cookie store exceeds its 386 + quota or if the user manually deletes the server's cookie. 387 + 388 + 389 + 390 + 391 + 392 + 393 + 394 + Barth Standards Track [Page 7] 395 + 396 + RFC 6265 HTTP State Management Mechanism April 2011 397 + 398 + 399 + == Server -> User Agent == 400 + 401 + Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT 402 + 403 + == User Agent -> Server == 404 + 405 + Cookie: SID=31d4d96e407aad42; lang=en-US 406 + 407 + Finally, to remove a cookie, the server returns a Set-Cookie header 408 + with an expiration date in the past. The server will be successful 409 + in removing the cookie only if the Path and the Domain attribute in 410 + the Set-Cookie header match the values used when the cookie was 411 + created. 412 + 413 + == Server -> User Agent == 414 + 415 + Set-Cookie: lang=; Expires=Sun, 06 Nov 1994 08:49:37 GMT 416 + 417 + == User Agent -> Server == 418 + 419 + Cookie: SID=31d4d96e407aad42 420 + 421 + 4. Server Requirements 422 + 423 + This section describes the syntax and semantics of a well-behaved 424 + profile of the Cookie and Set-Cookie headers. 425 + 426 + 4.1. Set-Cookie 427 + 428 + The Set-Cookie HTTP response header is used to send cookies from the 429 + server to the user agent. 430 + 431 + 4.1.1. Syntax 432 + 433 + Informally, the Set-Cookie response header contains the header name 434 + "Set-Cookie" followed by a ":" and a cookie. Each cookie begins with 435 + a name-value-pair, followed by zero or more attribute-value pairs. 436 + Servers SHOULD NOT send Set-Cookie headers that fail to conform to 437 + the following grammar: 438 + 439 + 440 + 441 + 442 + 443 + 444 + 445 + 446 + 447 + 448 + 449 + 450 + Barth Standards Track [Page 8] 451 + 452 + RFC 6265 HTTP State Management Mechanism April 2011 453 + 454 + 455 + set-cookie-header = "Set-Cookie:" SP set-cookie-string 456 + set-cookie-string = cookie-pair *( ";" SP cookie-av ) 457 + cookie-pair = cookie-name "=" cookie-value 458 + cookie-name = token 459 + cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) 460 + cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E 461 + ; US-ASCII characters excluding CTLs, 462 + ; whitespace DQUOTE, comma, semicolon, 463 + ; and backslash 464 + token = <token, defined in [RFC2616], Section 2.2> 465 + 466 + cookie-av = expires-av / max-age-av / domain-av / 467 + path-av / secure-av / httponly-av / 468 + extension-av 469 + expires-av = "Expires=" sane-cookie-date 470 + sane-cookie-date = <rfc1123-date, defined in [RFC2616], Section 3.3.1> 471 + max-age-av = "Max-Age=" non-zero-digit *DIGIT 472 + ; In practice, both expires-av and max-age-av 473 + ; are limited to dates representable by the 474 + ; user agent. 475 + non-zero-digit = %x31-39 476 + ; digits 1 through 9 477 + domain-av = "Domain=" domain-value 478 + domain-value = <subdomain> 479 + ; defined in [RFC1034], Section 3.5, as 480 + ; enhanced by [RFC1123], Section 2.1 481 + path-av = "Path=" path-value 482 + path-value = <any CHAR except CTLs or ";"> 483 + secure-av = "Secure" 484 + httponly-av = "HttpOnly" 485 + extension-av = <any CHAR except CTLs or ";"> 486 + 487 + Note that some of the grammatical terms above reference documents 488 + that use different grammatical notations than this document (which 489 + uses ABNF from [RFC5234]). 490 + 491 + The semantics of the cookie-value are not defined by this document. 492 + 493 + To maximize compatibility with user agents, servers that wish to 494 + store arbitrary data in a cookie-value SHOULD encode that data, for 495 + example, using Base64 [RFC4648]. 496 + 497 + The portions of the set-cookie-string produced by the cookie-av term 498 + are known as attributes. To maximize compatibility with user agents, 499 + servers SHOULD NOT produce two attributes with the same name in the 500 + same set-cookie-string. (See Section 5.3 for how user agents handle 501 + this case.) 502 + 503 + 504 + 505 + 506 + Barth Standards Track [Page 9] 507 + 508 + RFC 6265 HTTP State Management Mechanism April 2011 509 + 510 + 511 + Servers SHOULD NOT include more than one Set-Cookie header field in 512 + the same response with the same cookie-name. (See Section 5.2 for 513 + how user agents handle this case.) 514 + 515 + If a server sends multiple responses containing Set-Cookie headers 516 + concurrently to the user agent (e.g., when communicating with the 517 + user agent over multiple sockets), these responses create a "race 518 + condition" that can lead to unpredictable behavior. 519 + 520 + NOTE: Some existing user agents differ in their interpretation of 521 + two-digit years. To avoid compatibility issues, servers SHOULD use 522 + the rfc1123-date format, which requires a four-digit year. 523 + 524 + NOTE: Some user agents store and process dates in cookies as 32-bit 525 + UNIX time_t values. Implementation bugs in the libraries supporting 526 + time_t processing on some systems might cause such user agents to 527 + process dates after the year 2038 incorrectly. 528 + 529 + 4.1.2. Semantics (Non-Normative) 530 + 531 + This section describes simplified semantics of the Set-Cookie header. 532 + These semantics are detailed enough to be useful for understanding 533 + the most common uses of cookies by servers. The full semantics are 534 + described in Section 5. 535 + 536 + When the user agent receives a Set-Cookie header, the user agent 537 + stores the cookie together with its attributes. Subsequently, when 538 + the user agent makes an HTTP request, the user agent includes the 539 + applicable, non-expired cookies in the Cookie header. 540 + 541 + If the user agent receives a new cookie with the same cookie-name, 542 + domain-value, and path-value as a cookie that it has already stored, 543 + the existing cookie is evicted and replaced with the new cookie. 544 + Notice that servers can delete cookies by sending the user agent a 545 + new cookie with an Expires attribute with a value in the past. 546 + 547 + Unless the cookie's attributes indicate otherwise, the cookie is 548 + returned only to the origin server (and not, for example, to any 549 + subdomains), and it expires at the end of the current session (as 550 + defined by the user agent). User agents ignore unrecognized cookie 551 + attributes (but not the entire cookie). 552 + 553 + 554 + 555 + 556 + 557 + 558 + 559 + 560 + 561 + 562 + Barth Standards Track [Page 10] 563 + 564 + RFC 6265 HTTP State Management Mechanism April 2011 565 + 566 + 567 + 4.1.2.1. The Expires Attribute 568 + 569 + The Expires attribute indicates the maximum lifetime of the cookie, 570 + represented as the date and time at which the cookie expires. The 571 + user agent is not required to retain the cookie until the specified 572 + date has passed. In fact, user agents often evict cookies due to 573 + memory pressure or privacy concerns. 574 + 575 + 4.1.2.2. The Max-Age Attribute 576 + 577 + The Max-Age attribute indicates the maximum lifetime of the cookie, 578 + represented as the number of seconds until the cookie expires. The 579 + user agent is not required to retain the cookie for the specified 580 + duration. In fact, user agents often evict cookies due to memory 581 + pressure or privacy concerns. 582 + 583 + NOTE: Some existing user agents do not support the Max-Age 584 + attribute. User agents that do not support the Max-Age attribute 585 + ignore the attribute. 586 + 587 + If a cookie has both the Max-Age and the Expires attribute, the Max- 588 + Age attribute has precedence and controls the expiration date of the 589 + cookie. If a cookie has neither the Max-Age nor the Expires 590 + attribute, the user agent will retain the cookie until "the current 591 + session is over" (as defined by the user agent). 592 + 593 + 4.1.2.3. The Domain Attribute 594 + 595 + The Domain attribute specifies those hosts to which the cookie will 596 + be sent. For example, if the value of the Domain attribute is 597 + "example.com", the user agent will include the cookie in the Cookie 598 + header when making HTTP requests to example.com, www.example.com, and 599 + www.corp.example.com. (Note that a leading %x2E ("."), if present, 600 + is ignored even though that character is not permitted, but a 601 + trailing %x2E ("."), if present, will cause the user agent to ignore 602 + the attribute.) If the server omits the Domain attribute, the user 603 + agent will return the cookie only to the origin server. 604 + 605 + WARNING: Some existing user agents treat an absent Domain 606 + attribute as if the Domain attribute were present and contained 607 + the current host name. For example, if example.com returns a Set- 608 + Cookie header without a Domain attribute, these user agents will 609 + erroneously send the cookie to www.example.com as well. 610 + 611 + 612 + 613 + 614 + 615 + 616 + 617 + 618 + Barth Standards Track [Page 11] 619 + 620 + RFC 6265 HTTP State Management Mechanism April 2011 621 + 622 + 623 + The user agent will reject cookies unless the Domain attribute 624 + specifies a scope for the cookie that would include the origin 625 + server. For example, the user agent will accept a cookie with a 626 + Domain attribute of "example.com" or of "foo.example.com" from 627 + foo.example.com, but the user agent will not accept a cookie with a 628 + Domain attribute of "bar.example.com" or of "baz.foo.example.com". 629 + 630 + NOTE: For security reasons, many user agents are configured to reject 631 + Domain attributes that correspond to "public suffixes". For example, 632 + some user agents will reject Domain attributes of "com" or "co.uk". 633 + (See Section 5.3 for more information.) 634 + 635 + 4.1.2.4. The Path Attribute 636 + 637 + The scope of each cookie is limited to a set of paths, controlled by 638 + the Path attribute. If the server omits the Path attribute, the user 639 + agent will use the "directory" of the request-uri's path component as 640 + the default value. (See Section 5.1.4 for more details.) 641 + 642 + The user agent will include the cookie in an HTTP request only if the 643 + path portion of the request-uri matches (or is a subdirectory of) the 644 + cookie's Path attribute, where the %x2F ("/") character is 645 + interpreted as a directory separator. 646 + 647 + Although seemingly useful for isolating cookies between different 648 + paths within a given host, the Path attribute cannot be relied upon 649 + for security (see Section 8). 650 + 651 + 4.1.2.5. The Secure Attribute 652 + 653 + The Secure attribute limits the scope of the cookie to "secure" 654 + channels (where "secure" is defined by the user agent). When a 655 + cookie has the Secure attribute, the user agent will include the 656 + cookie in an HTTP request only if the request is transmitted over a 657 + secure channel (typically HTTP over Transport Layer Security (TLS) 658 + [RFC2818]). 659 + 660 + Although seemingly useful for protecting cookies from active network 661 + attackers, the Secure attribute protects only the cookie's 662 + confidentiality. An active network attacker can overwrite Secure 663 + cookies from an insecure channel, disrupting their integrity (see 664 + Section 8.6 for more details). 665 + 666 + 667 + 668 + 669 + 670 + 671 + 672 + 673 + 674 + Barth Standards Track [Page 12] 675 + 676 + RFC 6265 HTTP State Management Mechanism April 2011 677 + 678 + 679 + 4.1.2.6. The HttpOnly Attribute 680 + 681 + The HttpOnly attribute limits the scope of the cookie to HTTP 682 + requests. In particular, the attribute instructs the user agent to 683 + omit the cookie when providing access to cookies via "non-HTTP" APIs 684 + (such as a web browser API that exposes cookies to scripts). 685 + 686 + Note that the HttpOnly attribute is independent of the Secure 687 + attribute: a cookie can have both the HttpOnly and the Secure 688 + attribute. 689 + 690 + 4.2. Cookie 691 + 692 + 4.2.1. Syntax 693 + 694 + The user agent sends stored cookies to the origin server in the 695 + Cookie header. If the server conforms to the requirements in 696 + Section 4.1 (and the user agent conforms to the requirements in 697 + Section 5), the user agent will send a Cookie header that conforms to 698 + the following grammar: 699 + 700 + cookie-header = "Cookie:" OWS cookie-string OWS 701 + cookie-string = cookie-pair *( ";" SP cookie-pair ) 702 + 703 + 4.2.2. Semantics 704 + 705 + Each cookie-pair represents a cookie stored by the user agent. The 706 + cookie-pair contains the cookie-name and cookie-value the user agent 707 + received in the Set-Cookie header. 708 + 709 + Notice that the cookie attributes are not returned. In particular, 710 + the server cannot determine from the Cookie header alone when a 711 + cookie will expire, for which hosts the cookie is valid, for which 712 + paths the cookie is valid, or whether the cookie was set with the 713 + Secure or HttpOnly attributes. 714 + 715 + The semantics of individual cookies in the Cookie header are not 716 + defined by this document. Servers are expected to imbue these 717 + cookies with application-specific semantics. 718 + 719 + Although cookies are serialized linearly in the Cookie header, 720 + servers SHOULD NOT rely upon the serialization order. In particular, 721 + if the Cookie header contains two cookies with the same name (e.g., 722 + that were set with different Path or Domain attributes), servers 723 + SHOULD NOT rely upon the order in which these cookies appear in the 724 + header. 725 + 726 + 727 + 728 + 729 + 730 + Barth Standards Track [Page 13] 731 + 732 + RFC 6265 HTTP State Management Mechanism April 2011 733 + 734 + 735 + 5. User Agent Requirements 736 + 737 + This section specifies the Cookie and Set-Cookie headers in 738 + sufficient detail that a user agent implementing these requirements 739 + precisely can interoperate with existing servers (even those that do 740 + not conform to the well-behaved profile described in Section 4). 741 + 742 + A user agent could enforce more restrictions than those specified 743 + herein (e.g., for the sake of improved security); however, 744 + experiments have shown that such strictness reduces the likelihood 745 + that a user agent will be able to interoperate with existing servers. 746 + 747 + 5.1. Subcomponent Algorithms 748 + 749 + This section defines some algorithms used by user agents to process 750 + specific subcomponents of the Cookie and Set-Cookie headers. 751 + 752 + 5.1.1. Dates 753 + 754 + The user agent MUST use an algorithm equivalent to the following 755 + algorithm to parse a cookie-date. Note that the various boolean 756 + flags defined as a part of the algorithm (i.e., found-time, found- 757 + day-of-month, found-month, found-year) are initially "not set". 758 + 759 + 1. Using the grammar below, divide the cookie-date into date-tokens. 760 + 761 + cookie-date = *delimiter date-token-list *delimiter 762 + date-token-list = date-token *( 1*delimiter date-token ) 763 + date-token = 1*non-delimiter 764 + 765 + delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E 766 + non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA / %x7F-FF 767 + non-digit = %x00-2F / %x3A-FF 768 + 769 + day-of-month = 1*2DIGIT ( non-digit *OCTET ) 770 + month = ( "jan" / "feb" / "mar" / "apr" / 771 + "may" / "jun" / "jul" / "aug" / 772 + "sep" / "oct" / "nov" / "dec" ) *OCTET 773 + year = 2*4DIGIT ( non-digit *OCTET ) 774 + time = hms-time ( non-digit *OCTET ) 775 + hms-time = time-field ":" time-field ":" time-field 776 + time-field = 1*2DIGIT 777 + 778 + 2. Process each date-token sequentially in the order the date-tokens 779 + appear in the cookie-date: 780 + 781 + 782 + 783 + 784 + 785 + 786 + Barth Standards Track [Page 14] 787 + 788 + RFC 6265 HTTP State Management Mechanism April 2011 789 + 790 + 791 + 1. If the found-time flag is not set and the token matches the 792 + time production, set the found-time flag and set the hour- 793 + value, minute-value, and second-value to the numbers denoted 794 + by the digits in the date-token, respectively. Skip the 795 + remaining sub-steps and continue to the next date-token. 796 + 797 + 2. If the found-day-of-month flag is not set and the date-token 798 + matches the day-of-month production, set the found-day-of- 799 + month flag and set the day-of-month-value to the number 800 + denoted by the date-token. Skip the remaining sub-steps and 801 + continue to the next date-token. 802 + 803 + 3. If the found-month flag is not set and the date-token matches 804 + the month production, set the found-month flag and set the 805 + month-value to the month denoted by the date-token. Skip the 806 + remaining sub-steps and continue to the next date-token. 807 + 808 + 4. If the found-year flag is not set and the date-token matches 809 + the year production, set the found-year flag and set the 810 + year-value to the number denoted by the date-token. Skip the 811 + remaining sub-steps and continue to the next date-token. 812 + 813 + 3. If the year-value is greater than or equal to 70 and less than or 814 + equal to 99, increment the year-value by 1900. 815 + 816 + 4. If the year-value is greater than or equal to 0 and less than or 817 + equal to 69, increment the year-value by 2000. 818 + 819 + 1. NOTE: Some existing user agents interpret two-digit years 820 + differently. 821 + 822 + 5. Abort these steps and fail to parse the cookie-date if: 823 + 824 + * at least one of the found-day-of-month, found-month, found- 825 + year, or found-time flags is not set, 826 + 827 + * the day-of-month-value is less than 1 or greater than 31, 828 + 829 + * the year-value is less than 1601, 830 + 831 + * the hour-value is greater than 23, 832 + 833 + * the minute-value is greater than 59, or 834 + 835 + * the second-value is greater than 59. 836 + 837 + (Note that leap seconds cannot be represented in this syntax.) 838 + 839 + 840 + 841 + 842 + Barth Standards Track [Page 15] 843 + 844 + RFC 6265 HTTP State Management Mechanism April 2011 845 + 846 + 847 + 6. Let the parsed-cookie-date be the date whose day-of-month, month, 848 + year, hour, minute, and second (in UTC) are the day-of-month- 849 + value, the month-value, the year-value, the hour-value, the 850 + minute-value, and the second-value, respectively. If no such 851 + date exists, abort these steps and fail to parse the cookie-date. 852 + 853 + 7. Return the parsed-cookie-date as the result of this algorithm. 854 + 855 + 5.1.2. Canonicalized Host Names 856 + 857 + A canonicalized host name is the string generated by the following 858 + algorithm: 859 + 860 + 1. Convert the host name to a sequence of individual domain name 861 + labels. 862 + 863 + 2. Convert each label that is not a Non-Reserved LDH (NR-LDH) label, 864 + to an A-label (see Section 2.3.2.1 of [RFC5890] for the former 865 + and latter), or to a "punycode label" (a label resulting from the 866 + "ToASCII" conversion in Section 4 of [RFC3490]), as appropriate 867 + (see Section 6.3 of this specification). 868 + 869 + 3. Concatenate the resulting labels, separated by a %x2E (".") 870 + character. 871 + 872 + 5.1.3. Domain Matching 873 + 874 + A string domain-matches a given domain string if at least one of the 875 + following conditions hold: 876 + 877 + o The domain string and the string are identical. (Note that both 878 + the domain string and the string will have been canonicalized to 879 + lower case at this point.) 880 + 881 + o All of the following conditions hold: 882 + 883 + * The domain string is a suffix of the string. 884 + 885 + * The last character of the string that is not included in the 886 + domain string is a %x2E (".") character. 887 + 888 + * The string is a host name (i.e., not an IP address). 889 + 890 + 5.1.4. Paths and Path-Match 891 + 892 + The user agent MUST use an algorithm equivalent to the following 893 + algorithm to compute the default-path of a cookie: 894 + 895 + 896 + 897 + 898 + Barth Standards Track [Page 16] 899 + 900 + RFC 6265 HTTP State Management Mechanism April 2011 901 + 902 + 903 + 1. Let uri-path be the path portion of the request-uri if such a 904 + portion exists (and empty otherwise). For example, if the 905 + request-uri contains just a path (and optional query string), 906 + then the uri-path is that path (without the %x3F ("?") character 907 + or query string), and if the request-uri contains a full 908 + absoluteURI, the uri-path is the path component of that URI. 909 + 910 + 2. If the uri-path is empty or if the first character of the uri- 911 + path is not a %x2F ("/") character, output %x2F ("/") and skip 912 + the remaining steps. 913 + 914 + 3. If the uri-path contains no more than one %x2F ("/") character, 915 + output %x2F ("/") and skip the remaining step. 916 + 917 + 4. Output the characters of the uri-path from the first character up 918 + to, but not including, the right-most %x2F ("/"). 919 + 920 + A request-path path-matches a given cookie-path if at least one of 921 + the following conditions holds: 922 + 923 + o The cookie-path and the request-path are identical. 924 + 925 + o The cookie-path is a prefix of the request-path, and the last 926 + character of the cookie-path is %x2F ("/"). 927 + 928 + o The cookie-path is a prefix of the request-path, and the first 929 + character of the request-path that is not included in the cookie- 930 + path is a %x2F ("/") character. 931 + 932 + 5.2. The Set-Cookie Header 933 + 934 + When a user agent receives a Set-Cookie header field in an HTTP 935 + response, the user agent MAY ignore the Set-Cookie header field in 936 + its entirety. For example, the user agent might wish to block 937 + responses to "third-party" requests from setting cookies (see 938 + Section 7.1). 939 + 940 + If the user agent does not ignore the Set-Cookie header field in its 941 + entirety, the user agent MUST parse the field-value of the Set-Cookie 942 + header field as a set-cookie-string (defined below). 943 + 944 + NOTE: The algorithm below is more permissive than the grammar in 945 + Section 4.1. For example, the algorithm strips leading and trailing 946 + whitespace from the cookie name and value (but maintains internal 947 + whitespace), whereas the grammar in Section 4.1 forbids whitespace in 948 + these positions. User agents use this algorithm so as to 949 + interoperate with servers that do not follow the recommendations in 950 + Section 4. 951 + 952 + 953 + 954 + Barth Standards Track [Page 17] 955 + 956 + RFC 6265 HTTP State Management Mechanism April 2011 957 + 958 + 959 + A user agent MUST use an algorithm equivalent to the following 960 + algorithm to parse a "set-cookie-string": 961 + 962 + 1. If the set-cookie-string contains a %x3B (";") character: 963 + 964 + The name-value-pair string consists of the characters up to, 965 + but not including, the first %x3B (";"), and the unparsed- 966 + attributes consist of the remainder of the set-cookie-string 967 + (including the %x3B (";") in question). 968 + 969 + Otherwise: 970 + 971 + The name-value-pair string consists of all the characters 972 + contained in the set-cookie-string, and the unparsed- 973 + attributes is the empty string. 974 + 975 + 2. If the name-value-pair string lacks a %x3D ("=") character, 976 + ignore the set-cookie-string entirely. 977 + 978 + 3. The (possibly empty) name string consists of the characters up 979 + to, but not including, the first %x3D ("=") character, and the 980 + (possibly empty) value string consists of the characters after 981 + the first %x3D ("=") character. 982 + 983 + 4. Remove any leading or trailing WSP characters from the name 984 + string and the value string. 985 + 986 + 5. If the name string is empty, ignore the set-cookie-string 987 + entirely. 988 + 989 + 6. The cookie-name is the name string, and the cookie-value is the 990 + value string. 991 + 992 + The user agent MUST use an algorithm equivalent to the following 993 + algorithm to parse the unparsed-attributes: 994 + 995 + 1. If the unparsed-attributes string is empty, skip the rest of 996 + these steps. 997 + 998 + 2. Discard the first character of the unparsed-attributes (which 999 + will be a %x3B (";") character). 1000 + 1001 + 3. If the remaining unparsed-attributes contains a %x3B (";") 1002 + character: 1003 + 1004 + Consume the characters of the unparsed-attributes up to, but 1005 + not including, the first %x3B (";") character. 1006 + 1007 + 1008 + 1009 + 1010 + Barth Standards Track [Page 18] 1011 + 1012 + RFC 6265 HTTP State Management Mechanism April 2011 1013 + 1014 + 1015 + Otherwise: 1016 + 1017 + Consume the remainder of the unparsed-attributes. 1018 + 1019 + Let the cookie-av string be the characters consumed in this step. 1020 + 1021 + 4. If the cookie-av string contains a %x3D ("=") character: 1022 + 1023 + The (possibly empty) attribute-name string consists of the 1024 + characters up to, but not including, the first %x3D ("=") 1025 + character, and the (possibly empty) attribute-value string 1026 + consists of the characters after the first %x3D ("=") 1027 + character. 1028 + 1029 + Otherwise: 1030 + 1031 + The attribute-name string consists of the entire cookie-av 1032 + string, and the attribute-value string is empty. 1033 + 1034 + 5. Remove any leading or trailing WSP characters from the attribute- 1035 + name string and the attribute-value string. 1036 + 1037 + 6. Process the attribute-name and attribute-value according to the 1038 + requirements in the following subsections. (Notice that 1039 + attributes with unrecognized attribute-names are ignored.) 1040 + 1041 + 7. Return to Step 1 of this algorithm. 1042 + 1043 + When the user agent finishes parsing the set-cookie-string, the user 1044 + agent is said to "receive a cookie" from the request-uri with name 1045 + cookie-name, value cookie-value, and attributes cookie-attribute- 1046 + list. (See Section 5.3 for additional requirements triggered by 1047 + receiving a cookie.) 1048 + 1049 + 5.2.1. The Expires Attribute 1050 + 1051 + If the attribute-name case-insensitively matches the string 1052 + "Expires", the user agent MUST process the cookie-av as follows. 1053 + 1054 + Let the expiry-time be the result of parsing the attribute-value as 1055 + cookie-date (see Section 5.1.1). 1056 + 1057 + If the attribute-value failed to parse as a cookie date, ignore the 1058 + cookie-av. 1059 + 1060 + If the expiry-time is later than the last date the user agent can 1061 + represent, the user agent MAY replace the expiry-time with the last 1062 + representable date. 1063 + 1064 + 1065 + 1066 + Barth Standards Track [Page 19] 1067 + 1068 + RFC 6265 HTTP State Management Mechanism April 2011 1069 + 1070 + 1071 + If the expiry-time is earlier than the earliest date the user agent 1072 + can represent, the user agent MAY replace the expiry-time with the 1073 + earliest representable date. 1074 + 1075 + Append an attribute to the cookie-attribute-list with an attribute- 1076 + name of Expires and an attribute-value of expiry-time. 1077 + 1078 + 5.2.2. The Max-Age Attribute 1079 + 1080 + If the attribute-name case-insensitively matches the string "Max- 1081 + Age", the user agent MUST process the cookie-av as follows. 1082 + 1083 + If the first character of the attribute-value is not a DIGIT or a "-" 1084 + character, ignore the cookie-av. 1085 + 1086 + If the remainder of attribute-value contains a non-DIGIT character, 1087 + ignore the cookie-av. 1088 + 1089 + Let delta-seconds be the attribute-value converted to an integer. 1090 + 1091 + If delta-seconds is less than or equal to zero (0), let expiry-time 1092 + be the earliest representable date and time. Otherwise, let the 1093 + expiry-time be the current date and time plus delta-seconds seconds. 1094 + 1095 + Append an attribute to the cookie-attribute-list with an attribute- 1096 + name of Max-Age and an attribute-value of expiry-time. 1097 + 1098 + 5.2.3. The Domain Attribute 1099 + 1100 + If the attribute-name case-insensitively matches the string "Domain", 1101 + the user agent MUST process the cookie-av as follows. 1102 + 1103 + If the attribute-value is empty, the behavior is undefined. However, 1104 + the user agent SHOULD ignore the cookie-av entirely. 1105 + 1106 + If the first character of the attribute-value string is %x2E ("."): 1107 + 1108 + Let cookie-domain be the attribute-value without the leading %x2E 1109 + (".") character. 1110 + 1111 + Otherwise: 1112 + 1113 + Let cookie-domain be the entire attribute-value. 1114 + 1115 + Convert the cookie-domain to lower case. 1116 + 1117 + Append an attribute to the cookie-attribute-list with an attribute- 1118 + name of Domain and an attribute-value of cookie-domain. 1119 + 1120 + 1121 + 1122 + Barth Standards Track [Page 20] 1123 + 1124 + RFC 6265 HTTP State Management Mechanism April 2011 1125 + 1126 + 1127 + 5.2.4. The Path Attribute 1128 + 1129 + If the attribute-name case-insensitively matches the string "Path", 1130 + the user agent MUST process the cookie-av as follows. 1131 + 1132 + If the attribute-value is empty or if the first character of the 1133 + attribute-value is not %x2F ("/"): 1134 + 1135 + Let cookie-path be the default-path. 1136 + 1137 + Otherwise: 1138 + 1139 + Let cookie-path be the attribute-value. 1140 + 1141 + Append an attribute to the cookie-attribute-list with an attribute- 1142 + name of Path and an attribute-value of cookie-path. 1143 + 1144 + 5.2.5. The Secure Attribute 1145 + 1146 + If the attribute-name case-insensitively matches the string "Secure", 1147 + the user agent MUST append an attribute to the cookie-attribute-list 1148 + with an attribute-name of Secure and an empty attribute-value. 1149 + 1150 + 5.2.6. The HttpOnly Attribute 1151 + 1152 + If the attribute-name case-insensitively matches the string 1153 + "HttpOnly", the user agent MUST append an attribute to the cookie- 1154 + attribute-list with an attribute-name of HttpOnly and an empty 1155 + attribute-value. 1156 + 1157 + 5.3. Storage Model 1158 + 1159 + The user agent stores the following fields about each cookie: name, 1160 + value, expiry-time, domain, path, creation-time, last-access-time, 1161 + persistent-flag, host-only-flag, secure-only-flag, and http-only- 1162 + flag. 1163 + 1164 + When the user agent "receives a cookie" from a request-uri with name 1165 + cookie-name, value cookie-value, and attributes cookie-attribute- 1166 + list, the user agent MUST process the cookie as follows: 1167 + 1168 + 1. A user agent MAY ignore a received cookie in its entirety. For 1169 + example, the user agent might wish to block receiving cookies 1170 + from "third-party" responses or the user agent might not wish to 1171 + store cookies that exceed some size. 1172 + 1173 + 1174 + 1175 + 1176 + 1177 + 1178 + Barth Standards Track [Page 21] 1179 + 1180 + RFC 6265 HTTP State Management Mechanism April 2011 1181 + 1182 + 1183 + 2. Create a new cookie with name cookie-name, value cookie-value. 1184 + Set the creation-time and the last-access-time to the current 1185 + date and time. 1186 + 1187 + 3. If the cookie-attribute-list contains an attribute with an 1188 + attribute-name of "Max-Age": 1189 + 1190 + Set the cookie's persistent-flag to true. 1191 + 1192 + Set the cookie's expiry-time to attribute-value of the last 1193 + attribute in the cookie-attribute-list with an attribute-name 1194 + of "Max-Age". 1195 + 1196 + Otherwise, if the cookie-attribute-list contains an attribute 1197 + with an attribute-name of "Expires" (and does not contain an 1198 + attribute with an attribute-name of "Max-Age"): 1199 + 1200 + Set the cookie's persistent-flag to true. 1201 + 1202 + Set the cookie's expiry-time to attribute-value of the last 1203 + attribute in the cookie-attribute-list with an attribute-name 1204 + of "Expires". 1205 + 1206 + Otherwise: 1207 + 1208 + Set the cookie's persistent-flag to false. 1209 + 1210 + Set the cookie's expiry-time to the latest representable 1211 + date. 1212 + 1213 + 4. If the cookie-attribute-list contains an attribute with an 1214 + attribute-name of "Domain": 1215 + 1216 + Let the domain-attribute be the attribute-value of the last 1217 + attribute in the cookie-attribute-list with an attribute-name 1218 + of "Domain". 1219 + 1220 + Otherwise: 1221 + 1222 + Let the domain-attribute be the empty string. 1223 + 1224 + 5. If the user agent is configured to reject "public suffixes" and 1225 + the domain-attribute is a public suffix: 1226 + 1227 + If the domain-attribute is identical to the canonicalized 1228 + request-host: 1229 + 1230 + Let the domain-attribute be the empty string. 1231 + 1232 + 1233 + 1234 + Barth Standards Track [Page 22] 1235 + 1236 + RFC 6265 HTTP State Management Mechanism April 2011 1237 + 1238 + 1239 + Otherwise: 1240 + 1241 + Ignore the cookie entirely and abort these steps. 1242 + 1243 + NOTE: A "public suffix" is a domain that is controlled by a 1244 + public registry, such as "com", "co.uk", and "pvt.k12.wy.us". 1245 + This step is essential for preventing attacker.com from 1246 + disrupting the integrity of example.com by setting a cookie 1247 + with a Domain attribute of "com". Unfortunately, the set of 1248 + public suffixes (also known as "registry controlled domains") 1249 + changes over time. If feasible, user agents SHOULD use an 1250 + up-to-date public suffix list, such as the one maintained by 1251 + the Mozilla project at <http://publicsuffix.org/>. 1252 + 1253 + 6. If the domain-attribute is non-empty: 1254 + 1255 + If the canonicalized request-host does not domain-match the 1256 + domain-attribute: 1257 + 1258 + Ignore the cookie entirely and abort these steps. 1259 + 1260 + Otherwise: 1261 + 1262 + Set the cookie's host-only-flag to false. 1263 + 1264 + Set the cookie's domain to the domain-attribute. 1265 + 1266 + Otherwise: 1267 + 1268 + Set the cookie's host-only-flag to true. 1269 + 1270 + Set the cookie's domain to the canonicalized request-host. 1271 + 1272 + 7. If the cookie-attribute-list contains an attribute with an 1273 + attribute-name of "Path", set the cookie's path to attribute- 1274 + value of the last attribute in the cookie-attribute-list with an 1275 + attribute-name of "Path". Otherwise, set the cookie's path to 1276 + the default-path of the request-uri. 1277 + 1278 + 8. If the cookie-attribute-list contains an attribute with an 1279 + attribute-name of "Secure", set the cookie's secure-only-flag to 1280 + true. Otherwise, set the cookie's secure-only-flag to false. 1281 + 1282 + 9. If the cookie-attribute-list contains an attribute with an 1283 + attribute-name of "HttpOnly", set the cookie's http-only-flag to 1284 + true. Otherwise, set the cookie's http-only-flag to false. 1285 + 1286 + 1287 + 1288 + 1289 + 1290 + Barth Standards Track [Page 23] 1291 + 1292 + RFC 6265 HTTP State Management Mechanism April 2011 1293 + 1294 + 1295 + 10. If the cookie was received from a "non-HTTP" API and the 1296 + cookie's http-only-flag is set, abort these steps and ignore the 1297 + cookie entirely. 1298 + 1299 + 11. If the cookie store contains a cookie with the same name, 1300 + domain, and path as the newly created cookie: 1301 + 1302 + 1. Let old-cookie be the existing cookie with the same name, 1303 + domain, and path as the newly created cookie. (Notice that 1304 + this algorithm maintains the invariant that there is at most 1305 + one such cookie.) 1306 + 1307 + 2. If the newly created cookie was received from a "non-HTTP" 1308 + API and the old-cookie's http-only-flag is set, abort these 1309 + steps and ignore the newly created cookie entirely. 1310 + 1311 + 3. Update the creation-time of the newly created cookie to 1312 + match the creation-time of the old-cookie. 1313 + 1314 + 4. Remove the old-cookie from the cookie store. 1315 + 1316 + 12. Insert the newly created cookie into the cookie store. 1317 + 1318 + A cookie is "expired" if the cookie has an expiry date in the past. 1319 + 1320 + The user agent MUST evict all expired cookies from the cookie store 1321 + if, at any time, an expired cookie exists in the cookie store. 1322 + 1323 + At any time, the user agent MAY "remove excess cookies" from the 1324 + cookie store if the number of cookies sharing a domain field exceeds 1325 + some implementation-defined upper bound (such as 50 cookies). 1326 + 1327 + At any time, the user agent MAY "remove excess cookies" from the 1328 + cookie store if the cookie store exceeds some predetermined upper 1329 + bound (such as 3000 cookies). 1330 + 1331 + When the user agent removes excess cookies from the cookie store, the 1332 + user agent MUST evict cookies in the following priority order: 1333 + 1334 + 1. Expired cookies. 1335 + 1336 + 2. Cookies that share a domain field with more than a predetermined 1337 + number of other cookies. 1338 + 1339 + 3. All cookies. 1340 + 1341 + If two cookies have the same removal priority, the user agent MUST 1342 + evict the cookie with the earliest last-access date first. 1343 + 1344 + 1345 + 1346 + Barth Standards Track [Page 24] 1347 + 1348 + RFC 6265 HTTP State Management Mechanism April 2011 1349 + 1350 + 1351 + When "the current session is over" (as defined by the user agent), 1352 + the user agent MUST remove from the cookie store all cookies with the 1353 + persistent-flag set to false. 1354 + 1355 + 5.4. The Cookie Header 1356 + 1357 + The user agent includes stored cookies in the Cookie HTTP request 1358 + header. 1359 + 1360 + When the user agent generates an HTTP request, the user agent MUST 1361 + NOT attach more than one Cookie header field. 1362 + 1363 + A user agent MAY omit the Cookie header in its entirety. For 1364 + example, the user agent might wish to block sending cookies during 1365 + "third-party" requests from setting cookies (see Section 7.1). 1366 + 1367 + If the user agent does attach a Cookie header field to an HTTP 1368 + request, the user agent MUST send the cookie-string (defined below) 1369 + as the value of the header field. 1370 + 1371 + The user agent MUST use an algorithm equivalent to the following 1372 + algorithm to compute the "cookie-string" from a cookie store and a 1373 + request-uri: 1374 + 1375 + 1. Let cookie-list be the set of cookies from the cookie store that 1376 + meets all of the following requirements: 1377 + 1378 + * Either: 1379 + 1380 + The cookie's host-only-flag is true and the canonicalized 1381 + request-host is identical to the cookie's domain. 1382 + 1383 + Or: 1384 + 1385 + The cookie's host-only-flag is false and the canonicalized 1386 + request-host domain-matches the cookie's domain. 1387 + 1388 + * The request-uri's path path-matches the cookie's path. 1389 + 1390 + * If the cookie's secure-only-flag is true, then the request- 1391 + uri's scheme must denote a "secure" protocol (as defined by 1392 + the user agent). 1393 + 1394 + NOTE: The notion of a "secure" protocol is not defined by 1395 + this document. Typically, user agents consider a protocol 1396 + secure if the protocol makes use of transport-layer 1397 + 1398 + 1399 + 1400 + 1401 + 1402 + Barth Standards Track [Page 25] 1403 + 1404 + RFC 6265 HTTP State Management Mechanism April 2011 1405 + 1406 + 1407 + security, such as SSL or TLS. For example, most user 1408 + agents consider "https" to be a scheme that denotes a 1409 + secure protocol. 1410 + 1411 + * If the cookie's http-only-flag is true, then exclude the 1412 + cookie if the cookie-string is being generated for a "non- 1413 + HTTP" API (as defined by the user agent). 1414 + 1415 + 2. The user agent SHOULD sort the cookie-list in the following 1416 + order: 1417 + 1418 + * Cookies with longer paths are listed before cookies with 1419 + shorter paths. 1420 + 1421 + * Among cookies that have equal-length path fields, cookies with 1422 + earlier creation-times are listed before cookies with later 1423 + creation-times. 1424 + 1425 + NOTE: Not all user agents sort the cookie-list in this order, but 1426 + this order reflects common practice when this document was 1427 + written, and, historically, there have been servers that 1428 + (erroneously) depended on this order. 1429 + 1430 + 3. Update the last-access-time of each cookie in the cookie-list to 1431 + the current date and time. 1432 + 1433 + 4. Serialize the cookie-list into a cookie-string by processing each 1434 + cookie in the cookie-list in order: 1435 + 1436 + 1. Output the cookie's name, the %x3D ("=") character, and the 1437 + cookie's value. 1438 + 1439 + 2. If there is an unprocessed cookie in the cookie-list, output 1440 + the characters %x3B and %x20 ("; "). 1441 + 1442 + NOTE: Despite its name, the cookie-string is actually a sequence of 1443 + octets, not a sequence of characters. To convert the cookie-string 1444 + (or components thereof) into a sequence of characters (e.g., for 1445 + presentation to the user), the user agent might wish to try using the 1446 + UTF-8 character encoding [RFC3629] to decode the octet sequence. 1447 + This decoding might fail, however, because not every sequence of 1448 + octets is valid UTF-8. 1449 + 1450 + 1451 + 1452 + 1453 + 1454 + 1455 + 1456 + 1457 + 1458 + Barth Standards Track [Page 26] 1459 + 1460 + RFC 6265 HTTP State Management Mechanism April 2011 1461 + 1462 + 1463 + 6. Implementation Considerations 1464 + 1465 + 6.1. Limits 1466 + 1467 + Practical user agent implementations have limits on the number and 1468 + size of cookies that they can store. General-use user agents SHOULD 1469 + provide each of the following minimum capabilities: 1470 + 1471 + o At least 4096 bytes per cookie (as measured by the sum of the 1472 + length of the cookie's name, value, and attributes). 1473 + 1474 + o At least 50 cookies per domain. 1475 + 1476 + o At least 3000 cookies total. 1477 + 1478 + Servers SHOULD use as few and as small cookies as possible to avoid 1479 + reaching these implementation limits and to minimize network 1480 + bandwidth due to the Cookie header being included in every request. 1481 + 1482 + Servers SHOULD gracefully degrade if the user agent fails to return 1483 + one or more cookies in the Cookie header because the user agent might 1484 + evict any cookie at any time on orders from the user. 1485 + 1486 + 6.2. Application Programming Interfaces 1487 + 1488 + One reason the Cookie and Set-Cookie headers use such esoteric syntax 1489 + is that many platforms (both in servers and user agents) provide a 1490 + string-based application programming interface (API) to cookies, 1491 + requiring application-layer programmers to generate and parse the 1492 + syntax used by the Cookie and Set-Cookie headers, which many 1493 + programmers have done incorrectly, resulting in interoperability 1494 + problems. 1495 + 1496 + Instead of providing string-based APIs to cookies, platforms would be 1497 + well-served by providing more semantic APIs. It is beyond the scope 1498 + of this document to recommend specific API designs, but there are 1499 + clear benefits to accepting an abstract "Date" object instead of a 1500 + serialized date string. 1501 + 1502 + 6.3. IDNA Dependency and Migration 1503 + 1504 + IDNA2008 [RFC5890] supersedes IDNA2003 [RFC3490]. However, there are 1505 + differences between the two specifications, and thus there can be 1506 + differences in processing (e.g., converting) domain name labels that 1507 + have been registered under one from those registered under the other. 1508 + There will be a transition period of some time during which IDNA2003- 1509 + based domain name labels will exist in the wild. User agents SHOULD 1510 + implement IDNA2008 [RFC5890] and MAY implement [UTS46] or [RFC5895] 1511 + 1512 + 1513 + 1514 + Barth Standards Track [Page 27] 1515 + 1516 + RFC 6265 HTTP State Management Mechanism April 2011 1517 + 1518 + 1519 + in order to facilitate their IDNA transition. If a user agent does 1520 + not implement IDNA2008, the user agent MUST implement IDNA2003 1521 + [RFC3490]. 1522 + 1523 + 7. Privacy Considerations 1524 + 1525 + Cookies are often criticized for letting servers track users. For 1526 + example, a number of "web analytics" companies use cookies to 1527 + recognize when a user returns to a web site or visits another web 1528 + site. Although cookies are not the only mechanism servers can use to 1529 + track users across HTTP requests, cookies facilitate tracking because 1530 + they are persistent across user agent sessions and can be shared 1531 + between hosts. 1532 + 1533 + 7.1. Third-Party Cookies 1534 + 1535 + Particularly worrisome are so-called "third-party" cookies. In 1536 + rendering an HTML document, a user agent often requests resources 1537 + from other servers (such as advertising networks). These third-party 1538 + servers can use cookies to track the user even if the user never 1539 + visits the server directly. For example, if a user visits a site 1540 + that contains content from a third party and then later visits 1541 + another site that contains content from the same third party, the 1542 + third party can track the user between the two sites. 1543 + 1544 + Some user agents restrict how third-party cookies behave. For 1545 + example, some of these user agents refuse to send the Cookie header 1546 + in third-party requests. Others refuse to process the Set-Cookie 1547 + header in responses to third-party requests. User agents vary widely 1548 + in their third-party cookie policies. This document grants user 1549 + agents wide latitude to experiment with third-party cookie policies 1550 + that balance the privacy and compatibility needs of their users. 1551 + However, this document does not endorse any particular third-party 1552 + cookie policy. 1553 + 1554 + Third-party cookie blocking policies are often ineffective at 1555 + achieving their privacy goals if servers attempt to work around their 1556 + restrictions to track users. In particular, two collaborating 1557 + servers can often track users without using cookies at all by 1558 + injecting identifying information into dynamic URLs. 1559 + 1560 + 7.2. User Controls 1561 + 1562 + User agents SHOULD provide users with a mechanism for managing the 1563 + cookies stored in the cookie store. For example, a user agent might 1564 + let users delete all cookies received during a specified time period 1565 + 1566 + 1567 + 1568 + 1569 + 1570 + Barth Standards Track [Page 28] 1571 + 1572 + RFC 6265 HTTP State Management Mechanism April 2011 1573 + 1574 + 1575 + or all the cookies related to a particular domain. In addition, many 1576 + user agents include a user interface element that lets users examine 1577 + the cookies stored in their cookie store. 1578 + 1579 + User agents SHOULD provide users with a mechanism for disabling 1580 + cookies. When cookies are disabled, the user agent MUST NOT include 1581 + a Cookie header in outbound HTTP requests and the user agent MUST NOT 1582 + process Set-Cookie headers in inbound HTTP responses. 1583 + 1584 + Some user agents provide users the option of preventing persistent 1585 + storage of cookies across sessions. When configured thusly, user 1586 + agents MUST treat all received cookies as if the persistent-flag were 1587 + set to false. Some popular user agents expose this functionality via 1588 + "private browsing" mode [Aggarwal2010]. 1589 + 1590 + Some user agents provide users with the ability to approve individual 1591 + writes to the cookie store. In many common usage scenarios, these 1592 + controls generate a large number of prompts. However, some privacy- 1593 + conscious users find these controls useful nonetheless. 1594 + 1595 + 7.3. Expiration Dates 1596 + 1597 + Although servers can set the expiration date for cookies to the 1598 + distant future, most user agents do not actually retain cookies for 1599 + multiple decades. Rather than choosing gratuitously long expiration 1600 + periods, servers SHOULD promote user privacy by selecting reasonable 1601 + cookie expiration periods based on the purpose of the cookie. For 1602 + example, a typical session identifier might reasonably be set to 1603 + expire in two weeks. 1604 + 1605 + 8. Security Considerations 1606 + 1607 + 8.1. Overview 1608 + 1609 + Cookies have a number of security pitfalls. This section overviews a 1610 + few of the more salient issues. 1611 + 1612 + In particular, cookies encourage developers to rely on ambient 1613 + authority for authentication, often becoming vulnerable to attacks 1614 + such as cross-site request forgery [CSRF]. Also, when storing 1615 + session identifiers in cookies, developers often create session 1616 + fixation vulnerabilities. 1617 + 1618 + Transport-layer encryption, such as that employed in HTTPS, is 1619 + insufficient to prevent a network attacker from obtaining or altering 1620 + a victim's cookies because the cookie protocol itself has various 1621 + vulnerabilities (see "Weak Confidentiality" and "Weak Integrity", 1622 + 1623 + 1624 + 1625 + 1626 + Barth Standards Track [Page 29] 1627 + 1628 + RFC 6265 HTTP State Management Mechanism April 2011 1629 + 1630 + 1631 + below). In addition, by default, cookies do not provide 1632 + confidentiality or integrity from network attackers, even when used 1633 + in conjunction with HTTPS. 1634 + 1635 + 8.2. Ambient Authority 1636 + 1637 + A server that uses cookies to authenticate users can suffer security 1638 + vulnerabilities because some user agents let remote parties issue 1639 + HTTP requests from the user agent (e.g., via HTTP redirects or HTML 1640 + forms). When issuing those requests, user agents attach cookies even 1641 + if the remote party does not know the contents of the cookies, 1642 + potentially letting the remote party exercise authority at an unwary 1643 + server. 1644 + 1645 + Although this security concern goes by a number of names (e.g., 1646 + cross-site request forgery, confused deputy), the issue stems from 1647 + cookies being a form of ambient authority. Cookies encourage server 1648 + operators to separate designation (in the form of URLs) from 1649 + authorization (in the form of cookies). Consequently, the user agent 1650 + might supply the authorization for a resource designated by the 1651 + attacker, possibly causing the server or its clients to undertake 1652 + actions designated by the attacker as though they were authorized by 1653 + the user. 1654 + 1655 + Instead of using cookies for authorization, server operators might 1656 + wish to consider entangling designation and authorization by treating 1657 + URLs as capabilities. Instead of storing secrets in cookies, this 1658 + approach stores secrets in URLs, requiring the remote entity to 1659 + supply the secret itself. Although this approach is not a panacea, 1660 + judicious application of these principles can lead to more robust 1661 + security. 1662 + 1663 + 8.3. Clear Text 1664 + 1665 + Unless sent over a secure channel (such as TLS), the information in 1666 + the Cookie and Set-Cookie headers is transmitted in the clear. 1667 + 1668 + 1. All sensitive information conveyed in these headers is exposed to 1669 + an eavesdropper. 1670 + 1671 + 2. A malicious intermediary could alter the headers as they travel 1672 + in either direction, with unpredictable results. 1673 + 1674 + 3. A malicious client could alter the Cookie header before 1675 + transmission, with unpredictable results. 1676 + 1677 + 1678 + 1679 + 1680 + 1681 + 1682 + Barth Standards Track [Page 30] 1683 + 1684 + RFC 6265 HTTP State Management Mechanism April 2011 1685 + 1686 + 1687 + Servers SHOULD encrypt and sign the contents of cookies (using 1688 + whatever format the server desires) when transmitting them to the 1689 + user agent (even when sending the cookies over a secure channel). 1690 + However, encrypting and signing cookie contents does not prevent an 1691 + attacker from transplanting a cookie from one user agent to another 1692 + or from replaying the cookie at a later time. 1693 + 1694 + In addition to encrypting and signing the contents of every cookie, 1695 + servers that require a higher level of security SHOULD use the Cookie 1696 + and Set-Cookie headers only over a secure channel. When using 1697 + cookies over a secure channel, servers SHOULD set the Secure 1698 + attribute (see Section 4.1.2.5) for every cookie. If a server does 1699 + not set the Secure attribute, the protection provided by the secure 1700 + channel will be largely moot. 1701 + 1702 + For example, consider a webmail server that stores a session 1703 + identifier in a cookie and is typically accessed over HTTPS. If the 1704 + server does not set the Secure attribute on its cookies, an active 1705 + network attacker can intercept any outbound HTTP request from the 1706 + user agent and redirect that request to the webmail server over HTTP. 1707 + Even if the webmail server is not listening for HTTP connections, the 1708 + user agent will still include cookies in the request. The active 1709 + network attacker can intercept these cookies, replay them against the 1710 + server, and learn the contents of the user's email. If, instead, the 1711 + server had set the Secure attribute on its cookies, the user agent 1712 + would not have included the cookies in the clear-text request. 1713 + 1714 + 8.4. Session Identifiers 1715 + 1716 + Instead of storing session information directly in a cookie (where it 1717 + might be exposed to or replayed by an attacker), servers commonly 1718 + store a nonce (or "session identifier") in a cookie. When the server 1719 + receives an HTTP request with a nonce, the server can look up state 1720 + information associated with the cookie using the nonce as a key. 1721 + 1722 + Using session identifier cookies limits the damage an attacker can 1723 + cause if the attacker learns the contents of a cookie because the 1724 + nonce is useful only for interacting with the server (unlike non- 1725 + nonce cookie content, which might itself be sensitive). Furthermore, 1726 + using a single nonce prevents an attacker from "splicing" together 1727 + cookie content from two interactions with the server, which could 1728 + cause the server to behave unexpectedly. 1729 + 1730 + Using session identifiers is not without risk. For example, the 1731 + server SHOULD take care to avoid "session fixation" vulnerabilities. 1732 + A session fixation attack proceeds in three steps. First, the 1733 + attacker transplants a session identifier from his or her user agent 1734 + to the victim's user agent. Second, the victim uses that session 1735 + 1736 + 1737 + 1738 + Barth Standards Track [Page 31] 1739 + 1740 + RFC 6265 HTTP State Management Mechanism April 2011 1741 + 1742 + 1743 + identifier to interact with the server, possibly imbuing the session 1744 + identifier with the user's credentials or confidential information. 1745 + Third, the attacker uses the session identifier to interact with 1746 + server directly, possibly obtaining the user's authority or 1747 + confidential information. 1748 + 1749 + 8.5. Weak Confidentiality 1750 + 1751 + Cookies do not provide isolation by port. If a cookie is readable by 1752 + a service running on one port, the cookie is also readable by a 1753 + service running on another port of the same server. If a cookie is 1754 + writable by a service on one port, the cookie is also writable by a 1755 + service running on another port of the same server. For this reason, 1756 + servers SHOULD NOT both run mutually distrusting services on 1757 + different ports of the same host and use cookies to store security- 1758 + sensitive information. 1759 + 1760 + Cookies do not provide isolation by scheme. Although most commonly 1761 + used with the http and https schemes, the cookies for a given host 1762 + might also be available to other schemes, such as ftp and gopher. 1763 + Although this lack of isolation by scheme is most apparent in non- 1764 + HTTP APIs that permit access to cookies (e.g., HTML's document.cookie 1765 + API), the lack of isolation by scheme is actually present in 1766 + requirements for processing cookies themselves (e.g., consider 1767 + retrieving a URI with the gopher scheme via HTTP). 1768 + 1769 + Cookies do not always provide isolation by path. Although the 1770 + network-level protocol does not send cookies stored for one path to 1771 + another, some user agents expose cookies via non-HTTP APIs, such as 1772 + HTML's document.cookie API. Because some of these user agents (e.g., 1773 + web browsers) do not isolate resources received from different paths, 1774 + a resource retrieved from one path might be able to access cookies 1775 + stored for another path. 1776 + 1777 + 8.6. Weak Integrity 1778 + 1779 + Cookies do not provide integrity guarantees for sibling domains (and 1780 + their subdomains). For example, consider foo.example.com and 1781 + bar.example.com. The foo.example.com server can set a cookie with a 1782 + Domain attribute of "example.com" (possibly overwriting an existing 1783 + "example.com" cookie set by bar.example.com), and the user agent will 1784 + include that cookie in HTTP requests to bar.example.com. In the 1785 + worst case, bar.example.com will be unable to distinguish this cookie 1786 + from a cookie it set itself. The foo.example.com server might be 1787 + able to leverage this ability to mount an attack against 1788 + bar.example.com. 1789 + 1790 + 1791 + 1792 + 1793 + 1794 + Barth Standards Track [Page 32] 1795 + 1796 + RFC 6265 HTTP State Management Mechanism April 2011 1797 + 1798 + 1799 + Even though the Set-Cookie header supports the Path attribute, the 1800 + Path attribute does not provide any integrity protection because the 1801 + user agent will accept an arbitrary Path attribute in a Set-Cookie 1802 + header. For example, an HTTP response to a request for 1803 + http://example.com/foo/bar can set a cookie with a Path attribute of 1804 + "/qux". Consequently, servers SHOULD NOT both run mutually 1805 + distrusting services on different paths of the same host and use 1806 + cookies to store security-sensitive information. 1807 + 1808 + An active network attacker can also inject cookies into the Cookie 1809 + header sent to https://example.com/ by impersonating a response from 1810 + http://example.com/ and injecting a Set-Cookie header. The HTTPS 1811 + server at example.com will be unable to distinguish these cookies 1812 + from cookies that it set itself in an HTTPS response. An active 1813 + network attacker might be able to leverage this ability to mount an 1814 + attack against example.com even if example.com uses HTTPS 1815 + exclusively. 1816 + 1817 + Servers can partially mitigate these attacks by encrypting and 1818 + signing the contents of their cookies. However, using cryptography 1819 + does not mitigate the issue completely because an attacker can replay 1820 + a cookie he or she received from the authentic example.com server in 1821 + the user's session, with unpredictable results. 1822 + 1823 + Finally, an attacker might be able to force the user agent to delete 1824 + cookies by storing a large number of cookies. Once the user agent 1825 + reaches its storage limit, the user agent will be forced to evict 1826 + some cookies. Servers SHOULD NOT rely upon user agents retaining 1827 + cookies. 1828 + 1829 + 8.7. Reliance on DNS 1830 + 1831 + Cookies rely upon the Domain Name System (DNS) for security. If the 1832 + DNS is partially or fully compromised, the cookie protocol might fail 1833 + to provide the security properties required by applications. 1834 + 1835 + 9. IANA Considerations 1836 + 1837 + The permanent message header field registry (see [RFC3864]) has been 1838 + updated with the following registrations. 1839 + 1840 + 1841 + 1842 + 1843 + 1844 + 1845 + 1846 + 1847 + 1848 + 1849 + 1850 + Barth Standards Track [Page 33] 1851 + 1852 + RFC 6265 HTTP State Management Mechanism April 2011 1853 + 1854 + 1855 + 9.1. Cookie 1856 + 1857 + Header field name: Cookie 1858 + 1859 + Applicable protocol: http 1860 + 1861 + Status: standard 1862 + 1863 + Author/Change controller: IETF 1864 + 1865 + Specification document: this specification (Section 5.4) 1866 + 1867 + 9.2. Set-Cookie 1868 + 1869 + Header field name: Set-Cookie 1870 + 1871 + Applicable protocol: http 1872 + 1873 + Status: standard 1874 + 1875 + Author/Change controller: IETF 1876 + 1877 + Specification document: this specification (Section 5.2) 1878 + 1879 + 9.3. Cookie2 1880 + 1881 + Header field name: Cookie2 1882 + 1883 + Applicable protocol: http 1884 + 1885 + Status: obsoleted 1886 + 1887 + Author/Change controller: IETF 1888 + 1889 + Specification document: [RFC2965] 1890 + 1891 + 9.4. Set-Cookie2 1892 + 1893 + Header field name: Set-Cookie2 1894 + 1895 + Applicable protocol: http 1896 + 1897 + Status: obsoleted 1898 + 1899 + Author/Change controller: IETF 1900 + 1901 + Specification document: [RFC2965] 1902 + 1903 + 1904 + 1905 + 1906 + Barth Standards Track [Page 34] 1907 + 1908 + RFC 6265 HTTP State Management Mechanism April 2011 1909 + 1910 + 1911 + 10. References 1912 + 1913 + 10.1. Normative References 1914 + 1915 + [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1916 + STD 13, RFC 1034, November 1987. 1917 + 1918 + [RFC1123] Braden, R., "Requirements for Internet Hosts - Application 1919 + and Support", STD 3, RFC 1123, October 1989. 1920 + 1921 + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1922 + Requirement Levels", BCP 14, RFC 2119, March 1997. 1923 + 1924 + [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 1925 + Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 1926 + Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 1927 + 1928 + [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, 1929 + "Internationalizing Domain Names in Applications (IDNA)", 1930 + RFC 3490, March 2003. 1931 + 1932 + See Section 6.3 for an explanation why the normative 1933 + reference to an obsoleted specification is needed. 1934 + 1935 + [RFC4790] Newman, C., Duerst, M., and A. Gulbrandsen, "Internet 1936 + Application Protocol Collation Registry", RFC 4790, 1937 + March 2007. 1938 + 1939 + [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 1940 + Specifications: ABNF", STD 68, RFC 5234, January 2008. 1941 + 1942 + [RFC5890] Klensin, J., "Internationalized Domain Names for 1943 + Applications (IDNA): Definitions and Document Framework", 1944 + RFC 5890, August 2010. 1945 + 1946 + [USASCII] American National Standards Institute, "Coded Character 1947 + Set -- 7-bit American Standard Code for Information 1948 + Interchange", ANSI X3.4, 1986. 1949 + 1950 + 10.2. Informative References 1951 + 1952 + [RFC2109] Kristol, D. and L. Montulli, "HTTP State Management 1953 + Mechanism", RFC 2109, February 1997. 1954 + 1955 + [RFC2965] Kristol, D. and L. Montulli, "HTTP State Management 1956 + Mechanism", RFC 2965, October 2000. 1957 + 1958 + 1959 + 1960 + 1961 + 1962 + Barth Standards Track [Page 35] 1963 + 1964 + RFC 6265 HTTP State Management Mechanism April 2011 1965 + 1966 + 1967 + [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 1968 + 1969 + [Netscape] Netscape Communications Corp., "Persistent Client State -- 1970 + HTTP Cookies", 1999, <http://web.archive.org/web/ 1971 + 20020803110822/http://wp.netscape.com/newsref/std/ 1972 + cookie_spec.html>. 1973 + 1974 + [Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and 1975 + Politics", ACM Transactions on Internet Technology Vol. 1, 1976 + #2, November 2001, <http://arxiv.org/abs/cs.SE/0105018>. 1977 + 1978 + [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 1979 + 10646", STD 63, RFC 3629, November 2003. 1980 + 1981 + [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 1982 + Encodings", RFC 4648, October 2006. 1983 + 1984 + [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration 1985 + Procedures for Message Header Fields", BCP 90, RFC 3864, 1986 + September 2004. 1987 + 1988 + [RFC5895] Resnick, P. and P. Hoffman, "Mapping Characters for 1989 + Internationalized Domain Names in Applications (IDNA) 1990 + 2008", RFC 5895, September 2010. 1991 + 1992 + [UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility 1993 + Processing", Unicode Technical Standards # 46, 2010, 1994 + <http://unicode.org/reports/tr46/>. 1995 + 1996 + [CSRF] Barth, A., Jackson, C., and J. Mitchell, "Robust Defenses 1997 + for Cross-Site Request Forgery", 2008, 1998 + <http://portal.acm.org/citation.cfm?id=1455770.1455782>. 1999 + 2000 + [Aggarwal2010] 2001 + Aggarwal, G., Burzstein, E., Jackson, C., and D. Boneh, 2002 + "An Analysis of Private Browsing Modes in Modern 2003 + Browsers", 2010, <http://www.usenix.org/events/sec10/tech/ 2004 + full_papers/Aggarwal.pdf>. 2005 + 2006 + 2007 + 2008 + 2009 + 2010 + 2011 + 2012 + 2013 + 2014 + 2015 + 2016 + 2017 + 2018 + Barth Standards Track [Page 36] 2019 + 2020 + RFC 6265 HTTP State Management Mechanism April 2011 2021 + 2022 + 2023 + Appendix A. Acknowledgements 2024 + 2025 + This document borrows heavily from RFC 2109 [RFC2109]. We are 2026 + indebted to David M. Kristol and Lou Montulli for their efforts to 2027 + specify cookies. David M. Kristol, in particular, provided 2028 + invaluable advice on navigating the IETF process. We would also like 2029 + to thank Thomas Broyer, Tyler Close, Alissa Cooper, Bil Corry, 2030 + corvid, Lisa Dusseault, Roy T. Fielding, Blake Frantz, Anne van 2031 + Kesteren, Eran Hammer-Lahav, Jeff Hodges, Bjoern Hoehrmann, Achim 2032 + Hoffmann, Georg Koppen, Dean McNamee, Alexey Melnikov, Mark Miller, 2033 + Mark Pauley, Yngve N. Pettersen, Julian Reschke, Peter Saint-Andre, 2034 + Mark Seaborn, Maciej Stachowiak, Daniel Stenberg, Tatsuhiro 2035 + Tsujikawa, David Wagner, Dan Winship, and Dan Witte for their 2036 + valuable feedback on this document. 2037 + 2038 + Author's Address 2039 + 2040 + Adam Barth 2041 + University of California, Berkeley 2042 + 2043 + EMail: abarth@eecs.berkeley.edu 2044 + URI: http://www.adambarth.com/ 2045 + 2046 + 2047 + 2048 + 2049 + 2050 + 2051 + 2052 + 2053 + 2054 + 2055 + 2056 + 2057 + 2058 + 2059 + 2060 + 2061 + 2062 + 2063 + 2064 + 2065 + 2066 + 2067 + 2068 + 2069 + 2070 + 2071 + 2072 + 2073 + 2074 + Barth Standards Track [Page 37] 2075 +