A new IETF working group has been proposed in the Applications Area. The
IESG has not made any determination as yet. The following draft charter
was submitted, and is provided for informational purposes only. Please
send your comments to the IESG mailing list (iesg at ietf.org) by Tuesday,
December 1, 2009.
HTTP State Management Mechanism (httpstate)
---------------------------------------------------
Current Status: Proposed Working Group
Last modified: 2009-11-11
Chair(s):
TBD
Applications Area Director(s):
Lisa Dusseault <lisa.dusseault at gmail.com>
Alexey Melnikov <alexey.melnikov at isode.com>
Applications Area Advisor:
Lisa Dusseault <lisa.dusseault at gmail.com>
Mailing Lists:
General Discussion: http-state at ietf.org
To Subscribe: https://www.ietf.org/mailman/listinfo/http-state
Archive: http://www.ietf.org/mail-archive/web/http-
state/current/maillist.html
Alternative Archive: http://groups.google.com/group/http-state
Description of Working Group:
The HTTP State Management Mechanism (aka Cookies) was originally
created by Netscape Communications in their informal Netscape cookie
specification ("cookie_spec.html"), from which formal specifications
RFC 2109 and RFC 2965 evolved. The formal specifications, however,
were never fully implemented in practice; RFC 2109, in addition to
cookie_spec.html, more closely resemble real-world implementations than
RFC 2965, even though RFC 2965 officially obsoletes the former.
Compounding the problem are undocumented features (such as HTTPOnly),
and varying behaviors among real-world implementations.
The working group will create a new RFC that obsoletes RFC 2109 and
specifies Cookies as they are actually used in existing implementations
and deployments. Where differences exist among the most commonly used
implementations, the working group will document the variations. Where
consensus exists among the most commonly used implementations, the
working group will specify the consensus behavior.
The working group must not introduce any new syntax or new semantics
not already in common use.
The working group's specific deliverables are:
* A standards-track document that is suitable to supersede RFC 2109
(likely based on draft-abarth-cookie)
* An informational document cataloguing the differences between major
implementations In doing so, the working group should consider:
* cookie_spec.html - Netscape Cookie Specification
http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsre
f/std/cookie_spec.html
* RFC 2109 - HTTP State Management Mechanism (Obsoleted by RFC 2965)
http://tools.ietf.org/html/rfc2109
* RFC 2964 - Use of HTTP State Management
http://tools.ietf.org/html/rfc2964
* RFC 2965 - HTTP State Management Mechanism (Obsoletes RFC 2109)
http://tools.ietf.org/html/rfc2965
* I-D - HTTP State Management Mechanism v2
http://tools.ietf.org/html/draft-pettersen-cookie-v2
* I-D - Cookie-based HTTP Authentication
http://tools.ietf.org/html/draft-broyer-http-cookie-auth
* Widely Implemented - HTTPOnly
http://www.owasp.org/index.php/HTTPOnly
* Browser Security Handbook - Cookies
http://code.google.com/p/browsersec/wiki/Part2#Same-
origin_policy_for_cookies
* HTTP Cookies: Standards, Privacy, and Politics by David M. Kristol
http://arxiv.org/PS_cache/cs/pdf/0105/0105018v1.pdf
Goals and Milestones:
Jan 2010 - Feature-complete Internet-Draft of Cookie specification
Mar 2010 - Feature-complete test suite of Cookie specification
May 2010 - First fully conforming implementation in a major browser
Jul 2010 - Last Call for Cookie specification
Sep 2010 - Second fully conforming implementation in a major browser
Nov 2010 - Submit Cookie specification to IESG for consideration as
a Draft Standard
Nov 2010 - Submit deviation description to IESG for consideration as
Informational
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.