Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Draft IETF – HTTPState (Cookies)

A friend of mine (thanks Ben) pointed me at the latest draft IETF covering HTTPState (i.e. Cookies). I’m sure there are lots of you who love reading RFCs in your spare time…. after all, we all suffer from insomnia at one point or another 😉

Regardless, I found it interesting that the HTTPState Working Group are finally working to integrate the HTTPOnly flag into the RFC. The HTTPOnly flag was originally sugegsted in 2002 by Microsoft as a way to prevent what they saw as a common attack vector (i.e. Cross-Site Scripting being used to steal Session Cookies). Microsoft built support for the HTTPOnly flag into Internet Explorer 6 (sp1) and it was adopted by other major browsers and programming languages.

The new working group are looking to replace the aging RFC2109 and the (supposed replacement) RFC2965 with a new standard based on the previous standards. Alone this wouldn’t be news, but alongside the update comes the integration of the HTTPOnly flag which, despite being widely used and supported for years, has never featured in the RFCs previously.

The roadmap shows the working group aiming for March 2011 for a final release.

Information from the “HTTP State Management Mechanism” Working Group

Description of Working Group:

  The HTTP State Management Mechanism (aka Cookies) was originally
  created by Netscape Communications in their informal Netscape cookie
  specification (“cookie_spec.html”), from which formal specifications
  RFC 2109 and RFC 2965 evolved. The formal specifications, however,
  were never fully implemented in practice; RFC 2109, in addition to
  cookie_spec.html, more closely resemble real-world implementations
  than RFC 2965, even though RFC 2965 officially obsoletes the former.
  Compounding the problem are undocumented features (such as HTTPOnly),
  and varying behaviors among real-world implementations.

  The working group will create a new RFC that:
   * obsoletes RFC 2109,
   * updates RFC 2965 to the extent it overlaps or voids RFC 2109, and
   * specifies Cookies as they are actually used in existing
     implementations and deployments.

  Where commonalities exist in the most widely used implementations, the
  working group will specify the common behavior. Where differences exist
  among the most widely used implementations, the working group will
  document the variations and seek consensus to reduce variation by
  selecting among the most widely used variations.

  The working group must not introduce any new syntax or new semantics
  not already in common use.

  The working group’s specific deliverables are:
  * A standards-track document that is suitable to supersede RFC 2109
    (likely based on draft-abarth-cookie)
  * An informational document cataloguing the differences between major

  In doing so, the working group should consider:

  * cookie_spec.html – Netscape Cookie Specification



  * RFC 2109 – HTTP State Management Mechanism (Obsoleted by RFC 2965)
  * RFC 2964 – Use of HTTP State Management
  * RFC 2965 – HTTP State Management Mechanism (Obsoletes RFC 2109)
  * I-D – HTTP State Management Mechanism v2
  * I-D – Cookie-based HTTP Authentication
  * Widely Implemented – HTTPOnly
  * Browser Security Handbook – Cookies

  * HTTP Cookies: Standards, Privacy, and Politics by David M. Kristol


Comments are closed.

%d bloggers like this: