idnits 2.17.1 

draft-abarth-cookie-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** The document seems to lack a License Notice according IETF Trust
     Provisions of 28 Dec 2009, Section 6.b.ii or Provisions of 12 Sep 2009
     Section 6.b -- however, there's a paragraph with a matching beginning.
     Boilerplate error?

     (You're using the IETF Trust Provisions' Section 6.b License Notice from
     12 Feb 2009 rather than one of the newer Notices.  See
     https://trustee.ietf.org/license-info/.)


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** There is 1 instance of too long lines in the document, the longest one
     being 5 characters in excess of 72.

  == There are 2 instances of lines with non-RFC2606-compliant FQDNs in the
     document.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (August 7, 2009) is 5376 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? 'RFC 2068' on line 171 looks like a reference


     Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	http-state Working Group                                        A. Barth
3	Internet-Draft                                             U.C. Berkeley
4	Expires: February 8, 2010                                 August 7, 2009

6	                    HTTP State Management Mechanism
7	                         draft-abarth-cookie-00

9	Status of this Memo

11	   This Internet-Draft is submitted to IETF in full conformance with the
12	   provisions of BCP 78 and BCP 79.

14	   Internet-Drafts are working documents of the Internet Engineering
15	   Task Force (IETF), its areas, and its working groups.  Note that
16	   other groups may also distribute working documents as Internet-
17	   Drafts.

19	   Internet-Drafts are draft documents valid for a maximum of six months
20	   and may be updated, replaced, or obsoleted by other documents at any
21	   time.  It is inappropriate to use Internet-Drafts as reference
22	   material or to cite them other than as "work in progress."

24	   The list of current Internet-Drafts can be accessed at
25	   http://www.ietf.org/ietf/1id-abstracts.txt.

27	   The list of Internet-Draft Shadow Directories can be accessed at
28	   http://www.ietf.org/shadow.html.

30	   This Internet-Draft will expire on February 8, 2010.

32	Copyright Notice

34	   Copyright (c) 2009 IETF Trust and the persons identified as the
35	   document authors.  All rights reserved.

37	   This document is subject to BCP 78 and the IETF Trust's Legal
38	   Provisions Relating to IETF Documents in effect on the date of
39	   publication of this document (http://trustee.ietf.org/license-info).
40	   Please review these documents carefully, as they describe your rights
41	   and restrictions with respect to this document.

43	Abstract

45	   This document defines the HTTP Cookie and Set-Cookie headers.

47	   NOTE:

49	      This document is currently a "straw-man" cookie proposal.  Much of
50	      the text herein is completely wrong.  If you have suggestions for
51	      improving the draft, please send email to http-state@ietf.org.
52	      Suggestions with test cases are especially appriciated.

54	Table of Contents

56	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
57	   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
58	   3.  State and Sessions . . . . . . . . . . . . . . . . . . . . . .  5
59	   4.  Outline  . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
60	     4.1.  Syntax: General  . . . . . . . . . . . . . . . . . . . . .  6
61	     4.2.  Origin Server Role . . . . . . . . . . . . . . . . . . . .  6
62	       4.2.1.  General  . . . . . . . . . . . . . . . . . . . . . . .  6
63	       4.2.2.  Set-Cookie Syntax  . . . . . . . . . . . . . . . . . .  7
64	       4.2.3.  Controlling Caching  . . . . . . . . . . . . . . . . .  9
65	     4.3.  User Agent Role  . . . . . . . . . . . . . . . . . . . . . 10
66	       4.3.1.  Interpreting Set-Cookie  . . . . . . . . . . . . . . . 10
67	       4.3.2.  Rejecting Cookies  . . . . . . . . . . . . . . . . . . 11
68	       4.3.3.  Cookie Management  . . . . . . . . . . . . . . . . . . 12
69	       4.3.4.  Sending Cookies to the Origin Server . . . . . . . . . 12
70	       4.3.5.  Sending Cookies in Unverifiable Transactions . . . . . 14
71	     4.4.  How an Origin Server Interprets the Cookie Header  . . . . 14
72	     4.5.  Caching Proxy Role . . . . . . . . . . . . . . . . . . . . 14
73	   5.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
74	     5.1.  Example 1  . . . . . . . . . . . . . . . . . . . . . . . . 15
75	     5.2.  Example 2  . . . . . . . . . . . . . . . . . . . . . . . . 16
76	   6.  Implementation Considerations  . . . . . . . . . . . . . . . . 18
77	     6.1.  Set-Cookie Content . . . . . . . . . . . . . . . . . . . . 18
78	     6.2.  Implementation Limits  . . . . . . . . . . . . . . . . . . 18
79	       6.2.1.  Denial of Service Attacks  . . . . . . . . . . . . . . 19
80	   7.  Privacy  . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
81	     7.1.  User Agent Control . . . . . . . . . . . . . . . . . . . . 20
82	     7.2.  Protocol Design  . . . . . . . . . . . . . . . . . . . . . 21
83	   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 22
84	     8.1.  Clear Text . . . . . . . . . . . . . . . . . . . . . . . . 22
85	     8.2.  Cookie Spoofing  . . . . . . . . . . . . . . . . . . . . . 22
86	     8.3.  Unexpected Cookie Sharing  . . . . . . . . . . . . . . . . 22
87	   9.  Other, Similar, Proposals  . . . . . . . . . . . . . . . . . . 23
88	   Appendix A.  Acknowledgements  . . . . . . . . . . . . . . . . . . 24
89	   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25

91	1.  Introduction

93	   This document defines the HTTP Cookie and Set-Cookie header.

95	2.  Terminology

97	   The terms user agent, client, server, proxy, and origin server have
98	   the same meaning as in the HTTP/1.0 specification.

100	   Fully-qualified host name (FQHN) means either the fully-qualified
101	   domain name (FQDN) of a host (i.e., a completely specified domain
102	   name ending in a top-level domain such as .com or .uk), or the
103	   numeric Internet Protocol (IP) address of a host.  The fully
104	   qualified domain name is preferred; use of numeric IP addresses is
105	   strongly discouraged.  [TODO: What does "strongly discouraged" mean?]

107	   The terms request-host and request-URI refer to the values the client
108	   would send to the server as, respectively, the host (but not port)
109	   and abs_path portions of the absoluteURI (http_URL) of the HTTP
110	   request line.  Note that request-host must be a FQHN.  Hosts names
111	   can be specified either as an IP address or a FQHN string.  Sometimes
112	   we compare one host name with another.  Host A's name domain-matches
113	   host B's if

115	   o  both host names are IP addresses and their host name strings match
116	      exactly; or

118	   o  both host names are FQDN strings and their host name strings match
119	      exactly; or

121	   o  A is a FQDN string and has the form NB, where N is a non-empty
122	      name string, B has the form .B, and B is a FQDN string.  (So,
123	      x.y.com domain-matches .y.com but not y.com.)

125	   Note that domain-match is not a commutative operation: a.b.c.com
126	   domain-matches .c.com, but not the reverse.

128	   Because it was used in Netscape's original implementation of state
129	   management, we will use the term cookie to refer to the state
130	   information that passes between an origin server and user agent, and
131	   that gets stored by the user agent.

133	3.  State and Sessions

135	   This document describes a way to create stateful sessions with HTTP
136	   requests and responses.  HTTP servers respond to each client request
137	   without relating that request to previous or subsequent requests; the
138	   technique allows clients and servers that wish to exchange state
139	   information to place HTTP requests and responses within a larger
140	   context, which we term a "session".  This context might be used to
141	   create, for example, a "shopping cart", in which user selections can
142	   be aggregated before purchase, or a magazine browsing system, in
143	   which a user's previous reading affects which offerings are
144	   presented.

146	   There are, of course, many different potential contexts and thus many
147	   different potential types of session.  The designers' paradigm for
148	   sessions created by the exchange of cookies has these key attributes:

150	   1.  Each session has a beginning and an end.

152	   2.  Each session is relatively short-lived.

154	   3.  Either the user agent or the origin server may terminate a
155	       session.

157	   4.  The session is implicit in the exchange of state information.

159	4.  Outline

161	   We outline here a way for an origin server to send state information
162	   to the user agent, and for the user agent to return the state
163	   information to the origin server.

165	4.1.  Syntax: General

167	   The two state management headers, Set-Cookie and Cookie, have common
168	   syntactic properties involving attribute-value pairs.  The following
169	   grammar uses the notation, and tokens DIGIT (decimal digits) and
170	   token (informally, a sequence of non-special, non-white space
171	   characters) from the HTTP/1.1 specification [RFC 2068] to describe
172	   their syntax.

174	   [TODO: Test this grammar.  I think there are many, many issue with
175	   this grammer.  For example, this grammar seems to permit whitespace
176	   around the "=", but I don't think that actually works.]

178	      av-pairs        =       av-pair *(";" av-pair)
179	      av-pair         =       attr ["=" value]        ; optional value
180	      attr            =       token
181	      value           =       word
182	      word            =       token | quoted-string

184	   Attributes (names) (attr) are case-insensitive.  White space is
185	   permitted between tokens.  Note that while the above syntax
186	   description shows value as optional, most attrs require them.

188	   NOTE: The syntax above allows whitespace between the attribute and
189	   the = sign.  [TODO: This is probably wrong, however.]

191	4.2.  Origin Server Role

193	4.2.1.  General

195	   The origin server initiates a session, if it so desires.  (Note that
196	   "session" here does not refer to a persistent network connection but
197	   to a logical session created from HTTP requests and responses.  The
198	   presence or absence of a persistent connection should have no effect
199	   on the use of cookie-derived sessions).  To initiate a session, the
200	   origin server returns an extra response header to the client, Set-
201	   Cookie.  (The details follow later.)

203	   A user agent returns a Cookie request header (see below) to the
204	   origin server if it chooses to continue a session.  The origin server
205	   may ignore it or use it to determine the current state of the
206	   session.  It may send the client a Set-Cookie response header with
207	   the same or different information, or it may send no Set-Cookie
208	   header at all.  The origin server effectively ends a session by
209	   sending the client a Set-Cookie header with Max-Age=0.  [TODO: Need
210	   to say something about Expires here.]

212	   Servers may return a Set-Cookie response headers with any response.
213	   User agents should send Cookie request headers, subject to other
214	   rules detailed below, with every request.

216	   An origin server may include multiple Set-Cookie headers in a
217	   response.  Note that an intervening gateway could fold multiple such
218	   headers into a single header.  [TODO: Investigate how UAs cope with
219	   such folded headers.]

221	4.2.2.  Set-Cookie Syntax

223	   The syntax for the Set-Cookie response header is

225	   [TODO: Valdiate this syntax.]

227	      set-cookie      =       "Set-Cookie:" cookies
228	      cookies         =       1#cookie
229	      cookie          =       NAME "=" VALUE *(";" cookie-av)
230	      NAME            =       attr
231	      VALUE           =       value
232	      cookie-av       =       "Comment" "=" value
233	                      |       "Domain" "=" value
234	                      |       "Max-Age" "=" value
235	                              [TODO: Expires is clearly missing.]
236	                      |       "Path" "=" value
237	                      |       "Secure"
238	                              [TODO: HTTPOnly is also missing.]
239	                      |       "Version" "=" 1*DIGIT
240	                              [TODO: Version is likely a fantasy.]

242	   Informally, the Set-Cookie response header comprises the token Set-
243	   Cookie:, followed by a comma-separated list of one or more cookies.
244	   Each cookie begins with a NAME=VALUE pair, followed by zero or more
245	   semi-colon-separated attribute-value pairs.  The specific attributes
246	   and the semantics of their values follows.  The NAME=VALUE attribute-
247	   value pair must come first in each cookie.  The others, if present,
248	   can occur in any order.  If an attribute appears more than once in a
249	   cookie, the behavior is undefined.  [TODO: Test what happens when
250	   attributes are multiply defined.]

252	      NAME=VALUE
253	         Required.  The name of the state information ("cookie") is
254	         NAME, and its value is VALUE.  NAMEs that begin with $ are
255	         reserved for other uses and must not be used by applications.
256	         [TODO: I suspect the $ rule is a fantasy.]  The VALUE is opaque
257	         to the user agent and may be anything the origin server chooses
258	         to send, possibly in a server-selected printable ASCII
259	         encoding.  "Opaque" implies that the content is of interest and
260	         relevance only to the origin server.  The content may, in fact,
261	         be readable by anyone that examines the Set-Cookie header.

263	      Comment=comment

265	         Optional.  Because cookies can contain private information
266	         about a user, the Cookie attribute allows an origin server to
267	         document its intended use of a cookie.  The user can inspect
268	         the information to decide whether to initiate or continue a
269	         session with this cookie.  [TODO: Does this actually exist?]

271	      Domain=domain

273	         Optional.  The Domain attribute specifies the domain for which
274	         the cookie is valid.  An explicitly specified domain must
275	         always start with a dot.  [TODO: Test what happens without a
276	         dot.]

278	      Max-Age=delta-seconds

280	         Optional.  The Max-Age attribute defines the lifetime of the
281	         cookie, in seconds.  The delta-seconds value is a decimal non-
282	         negative integer.  [TODO: Test negative integers.]  After
283	         delta-seconds seconds elapse, the client should discard the
284	         cookie.  A value of zero means the cookie should be discarded
285	         immediately.

287	      Path=path

289	         Optional.  The Path attribute specifies the subset of URLs to
290	         which this cookie applies.

292	      Secure

294	         Optional.  The Secure attribute (with no value) directs the
295	         user agent to use only (unspecified) secure means to contact
296	         the origin server whenever it sends back this cookie.  [TODO:
297	         We should give better implementation advice than this.]

299	         The user agent (possibly under the user's control) may
300	         determine what level of security it considers appropriate for
301	         "secure" cookies.  The Secure attribute should be considered
302	         security advice from the server to the user agent, indicating
303	         that it is in the session's interest to protect the
304	         confidentiality of the cookie's value.

306	      Version=version

308	         Required [TODO: Unlikely].  The Version attribute, a decimal
309	         integer, identifies to which version of the state management
310	         specification the cookie conforms.  For this specification,
311	         Version=1 applies.  [TODO: Remove this attribute.]

313	4.2.3.  Controlling Caching

315	   [TODO: Should we go into this much detail here?  This seems redudant
316	   with the HTTP specs.]

318	   An origin server must be cognizant of the effect of possible caching
319	   of both the returned resource and the Set-Cookie header.  Caching
320	   "public" documents is desirable.  For example, if the origin server
321	   wants to use a public document such as a "front door" page as a
322	   sentinel to indicate the beginning of a session for which a Set-
323	   Cookie response header must be generated, the page should be stored
324	   in caches "pre-expired" so that the origin server will see further
325	   requests.  "Private documents", for example those that contain
326	   information strictly private to a session, should not be cached in
327	   shared caches.

329	   If the cookie is intended for use by a single user, the Set-Cookie
330	   header should not be cached.  A Set-Cookie header that is intended to
331	   be shared by multiple users may be cached.

333	   The origin server should send the following additional HTTP/1.1
334	   response headers, depending on circumstances: [TODO: Is this good
335	   advice?]

337	   o  To suppress caching of the Set-Cookie header: Cache-control: no-
338	      cache="set-cookie".

340	   and one of the following:

342	   o  To suppress caching of a private document in shared caches: Cache-
343	      Control: private.

345	   o  To allow caching of a document and require that it be validated
346	      before returning it to the client: Cache-Control: must-revalidate.

348	   o  To allow caching of a document, but to require that proxy caches
349	      (not user agent caches) validate it before returning it to the
350	      client: Cache-Control: proxy-revalidate.

352	   o  To allow caching of a document and request that it be validated
353	      before returning it to the client (by "pre-expiring" it): Cache-
354	      Control: max-age=0.  Not all caches will revalidate the document
355	      in every case.

357	   HTTP/1.1 servers must send Expires: old-date (where old-date is a
358	   date long in the past) on responses containing Set-Cookie response
359	   headers unless they know for certain (by out of band means) that
360	   there are no downsteam HTTP/1.0 proxies.  HTTP/1.1 servers may send
361	   other Cache-Control directives that permit caching by HTTP/1.1
362	   proxies in addition to the Expires: old-date directive; the Cache-
363	   Control directive will override the Expires: old-date for HTTP/1.1
364	   proxies.

366	4.3.  User Agent Role

368	4.3.1.  Interpreting Set-Cookie

370	   The user agent keeps separate track of state information that arrives
371	   via Set-Cookie response headers from each origin server (as
372	   distinguished by name or IP address and port).  The user agent
373	   applies these defaults for optional attributes that are missing:

375	   Version  Defaults to "old cookie" behavior as originally specified by
376	      Netscape.  See the HISTORICAL section.  [TODO: Unlikely.]

378	   Domain  Defaults to the request-host.  (Note that there is no dot at
379	      the beginning of request-host.)  [TODO: This is important to
380	      test!]

382	   Max-Age  The default behavior is to discard the cookie when the user
383	      agent exits.  [TODO: Interaction with Expires.]

385	   Expires  The default behavior is to discard the cookie when the user
386	      agent exits.  [TODO: Interaction with Max-Age.]

388	   Path  Defaults to the path of the request URL that generated the Set-
389	      Cookie response, up to, but not including, the right-most /.
390	      [TODO: Test!  This seems wrong for paths that are just a single
391	      slash]

393	   Secure  If absent, the user agent may send the cookie over an
394	      insecure channel.

396	4.3.2.  Rejecting Cookies

398	   To prevent possible security or privacy violations, a user agent must
399	   reject a cookie (shall not store its information) if any of the
400	   following is true:

402	   o  The value of the Path attribute is not a prefix of the request-
403	      URI.  [TODO: This is a lie.]

405	   o  The value for the Domain attribute contains no embedded dots or
406	      does not start with a dot.

408	   o  The value for the request-host does not domain-match the Domain
409	      attribute.  [TODO: Test whether you can set a cookie for a
410	      subdomain of yourself.]

412	   o  The request-host is a FQDN (not IP address) and has the form HD,
413	      where D is the value of the Domain attribute, and H is a string
414	      that contains one or more dots.  [TODO: I don't think this is
415	      right. foo.bar.baz.com can set a cookie for .baz.com]

417	   o  [TODO: Need to interact with public suffix list!]

419	   Examples:

421	   o  A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com
422	      would be rejected, because H is y.x and contains a dot.  [TODO: I
423	      don't think this is right.]

425	   o  A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
426	      be accepted.

428	   o  A Set-Cookie with Domain=.com or Domain=.com., will be rejected,
429	      because there is no embedded dot.

431	   o  A Set-Cookie with Domain=foo.com will be rejected because the
432	      value for Domain does not begin with a dot.  [TODO: This seems
433	      unlikely, but test!]

435	   o  A Set-Cookie with Domain=.co.uk will be rejected because .co.uk is
436	      a public suffix.

438	4.3.3.  Cookie Management

440	   If a user agent receives a Set-Cookie response header whose NAME is
441	   the same as a pre-existing cookie, and whose Domain and Path
442	   attribute values exactly (string) match those of a pre-existing
443	   cookie, the new cookie supersedes the old.  However, if the Set-
444	   Cookie has a value for Max-Age of zero, the (old and new) cookie is
445	   discarded.  Otherwise cookies accumulate until they expire (resources
446	   permitting), at which time they are discarded.  [TODO: Do cookies
447	   really accumulate like this?  Also, need to talk about Expires]

449	   Because user agents have finite space in which to store cookies, they
450	   may also discard older cookies to make space for newer ones, using,
451	   for example, a least-recently-used algorithm, along with constraints
452	   on the maximum number of cookies that each origin server may set.
453	   [TODO: Consider recommending a cookie eviction strategy that works in
454	   practice.]

456	   If a Set-Cookie response header includes a Comment attribute, the
457	   user agent should store that information in a human-readable form
458	   with the cookie and should display the comment text as part of a
459	   cookie inspection user interface.  [TODO: I think the Comment
460	   attribute is a fantasy.]

462	   User agents should allow the user to control cookie destruction.  An
463	   infrequently-used cookie may function as a "preferences file" for
464	   network applications, and a user may wish to keep it even if it is
465	   the least-recently-used cookie.  One possible implementation would be
466	   an interface that allows the permanent storage of a cookie through a
467	   checkbox (or, conversely, its immediate destruction).  [TODO:
468	   Remove?]

470	   Privacy considerations dictate that the user have considerable
471	   control over cookie management.  The PRIVACY section contains more
472	   information.

474	4.3.4.  Sending Cookies to the Origin Server

476	   When it sends a request to an origin server, the user agent sends a
477	   Cookie request header to the origin server if it has cookies that are
478	   applicable to the request, based on

480	   o  the request-host,

482	   o  the request-URI, and

484	   o  the cookie's age.

486	   The syntax for the header is:

488	      cookie          =       "Cookie:" cookie-version
489	                              1*((";" | ",") cookie-value)
490	      cookie-value    =       NAME "=" VALUE [";" path] [";" domain]
491	      cookie-version  =       "$Version" "=" value
492	      NAME            =       attr
493	      VALUE           =       value
494	      path            =       "$Path" "=" value
495	      domain          =       "$Domain" "=" value

497	   [TODO: This syntax is entirely wrong.]

499	   The following rules apply to choosing applicable cookie-values from
500	   among all the cookies the user agent has.

502	      Domain Selection

504	         The origin server's fully-qualified host name must domain-match
505	         the Domain attribute of the cookie.

507	      Path Selection

509	         The Path attribute of the cookie must match a prefix of the
510	         request-URI.  [TODO: Need a more complex algorithm here
511	         involving the / character.]

513	      Max-Age Selection

515	         Cookies that have expired should have been discarded and thus
516	         are not forwarded to an origin server.

518	   If multiple cookies satisfy the criteria above, they are ordered in
519	   the Cookie header such that those with more specific Path attributes
520	   precede those with less specific.  Ordering with respect to other
521	   attributes (e.g., Domain) is unspecified.  [TODO: Figure out the
522	   correct ordering.]

524	   Note: For backward compatibility, the separator in the Cookie header
525	   is semi-colon (;) everywhere.  A server should also accept comma (,)
526	   as the separator between cookie-values for future compatibility.
527	   [TODO: Test whether servers actually do this.]

529	4.3.5.  Sending Cookies in Unverifiable Transactions

531	   [TODO: This entire section seems like a fantasy.]

533	   [TODO: Consider explaining how third-party cookie blocking works.]

535	4.4.  How an Origin Server Interprets the Cookie Header

537	   [TODO: This section appears to be nonsense.]

539	4.5.  Caching Proxy Role

541	   One reason for separating state information from both a URL and
542	   document content is to facilitate the scaling that caching permits.
543	   To support cookies, a caching proxy must obey these rules already in
544	   the HTTP specification [TODO: If they're already in the HTTP
545	   specification, aren't they redundant here?]:

547	   o  Honor requests from the cache, if possible, based on cache
548	      validity rules.

550	   o  Pass along a Cookie request header in any request that the proxy
551	      must make of another server.

553	   o  Return the response to the client.  Include any Set-Cookie
554	      response header.

556	   o  Cache the received response subject to the control of the usual
557	      headers, such as Expires, Cache-Control: no-cache, and Cache-
558	      Control: private.

560	   o  Cache the Set-Cookie subject to the control of the usual header,
561	      Cache-Control: no-cache="set-cookie".  (The Set-Cookie header
562	      should usually not be cached.)

564	   Proxies must not introduce Set-Cookie (Cookie) headers of their own
565	   in proxy responses (requests).

567	5.  Examples

569	5.1.  Example 1

571	   Most detail of request and response headers has been omitted.  Assume
572	   the user agent has no stored cookies.

574	   1.  User Agent -> Server

576	       POST /acme/login HTTP/1.1
577	       [form data]

579	       User identifies self via a form.

581	   2.  Server -> User Agent

583	       HTTP/1.1 200 OK
584	       Set-Cookie: Customer="WILE_E_COYOTE"; Version="1"; Path="/acme"

586	       Cookie reflects user's identity.  [TODO: This is insecure.]

588	   3.  User Agent -> Server

590	       POST /acme/pickitem HTTP/1.1
591	       Cookie: $Version="1"; Customer="WILE_E_COYOTE"; $Path="/acme"
592	       [form data]

594	       User selects an item for "shopping basket."

596	   4.  Server -> User Agent

598	    HTTP/1.1 200 OK
599	    Set-Cookie: Part_Number="Rocket_Launcher_0001"; Version="1"; Path="/acme"

601	       Shopping basket contains an item.

603	   5.  User Agent -> Server

605	       POST /acme/shipping HTTP/1.1
606	       Cookie: $Version="1";
607	               Customer="WILE_E_COYOTE"; $Path="/acme";
608	               Part_Number="Rocket_Launcher_0001"; $Path="/acme"
609	       [form data]

611	       User selects shipping method from form.

613	   6.  Server -> User Agent
614	       HTTP/1.1 200 OK
615	       Set-Cookie: Shipping="FedEx"; Version="1"; Path="/acme"

617	       New cookie reflects shipping method.

619	   7.  User Agent -> Server

621	       POST /acme/process HTTP/1.1
622	       Cookie: $Version="1";
623	               Customer="WILE_E_COYOTE"; $Path="/acme";
624	               Part_Number="Rocket_Launcher_0001"; $Path="/acme";
625	               Shipping="FedEx"; $Path="/acme"
626	       [form data]

628	       User chooses to process order.

630	   8.  Server -> User Agent

632	       HTTP/1.1 200 OK

634	       Transaction is complete.

636	   [TODO: This example is really silly.  We shouldn't be recommending
637	   this at all.]

639	   The user agent makes a series of requests on the origin server, after
640	   each of which it receives a new cookie.  All the cookies have the
641	   same Path attribute and (default) domain.  Because the request URLs
642	   all have /acme as a prefix, and that matches the Path attribute, each
643	   request contains all the cookies received so far.

645	5.2.  Example 2

647	   This example illustrates the effect of the Path attribute.  All
648	   detail of request and response headers has been omitted.  Assume the
649	   user agent has no stored cookies.

651	   Imagine the user agent has received, in response to earlier requests,
652	   the response headers

654	   Set-Cookie: Part_Number="Rocket_Launcher_0001"; Version="1";
655	           Path="/acme"

657	   and

659	   Set-Cookie: Part_Number="Riding_Rocket_0023"; Version="1";
660	           Path="/acme/ammo"

662	   A subsequent request by the user agent to the (same) server for URLs
663	   of the form /acme/ammo/... would include the following request
664	   header:

666	   Cookie: $Version="1";
667	           Part_Number="Riding_Rocket_0023"; $Path="/acme/ammo";
668	           Part_Number="Rocket_Launcher_0001"; $Path="/acme"

670	   Note that the NAME=VALUE pair for the cookie with the more specific
671	   Path attribute, /acme/ammo, comes before the one with the less
672	   specific Path attribute, /acme.  Further note that the same cookie
673	   name appears more than once.

675	   A subsequent request by the user agent to the (same) server for a URL
676	   of the form /acme/parts/ would include the following request header:

678	 Cookie: $Version="1"; Part_Number="Rocket_Launcher_0001"; $Path="/acme"

680	   Here, the second cookie's Path attribute /acme/ammo is not a prefix
681	   of the request URL, /acme/parts/, so the cookie does not get
682	   forwarded to the server.

684	6.  Implementation Considerations

686	   Here we speculate on likely or desirable details for an origin server
687	   that implements state management.

689	6.1.  Set-Cookie Content

691	   An origin server's content should probably be divided into disjoint
692	   application areas, some of which require the use of state
693	   information.  The application areas can be distinguished by their
694	   request URLs.  The Set-Cookie header can incorporate information
695	   about the application areas by setting the Path attribute for each
696	   one.

698	   The session information can obviously be clear or encoded text that
699	   describes state.  However, if it grows too large, it can become
700	   unwieldy.  Therefore, an implementor might choose for the session
701	   information to be a key to a server-side resource.  [TODO: Describe
702	   briefly how to generate a decent session key.]

704	   [TODO: We could recommend that servers encrypt and mac their cookie
705	   data.]

707	   [TODO: Mention issues that arise from having multiple concurrent
708	   sessions.]

710	6.2.  Implementation Limits

712	   Practical user agent implementations have limits on the number and
713	   size of cookies that they can store.  In general, user agents' cookie
714	   support should have no fixed limits.  [TODO: Why not?]  They should
715	   strive to store as many frequently-used cookies as possible.
716	   Furthermore, general-use user agents should provide each of the
717	   following minimum capabilities individually, although not necessarily
718	   simultaneously: [TODO: Where do these numbers come from?]

720	   o  at least 300 cookies

722	   o  at least 4096 bytes per cookie (as measured by the size of the
723	      characters that comprise the cookie non-terminal in the syntax
724	      description of the Set-Cookie header)

726	   o  at least 20 cookies per unique host or domain name

728	   User agents created for specific purposes or for limited-capacity
729	   devices should provide at least 20 cookies of 4096 bytes, to ensure
730	   that the user can interact with a session-based origin server.

732	   The information in a Set-Cookie response header must be retained in
733	   its entirety.  If for some reason there is inadequate space to store
734	   the cookie, it must be discarded, not truncated.

736	   Applications should use as few and as small cookies as possible, and
737	   they should cope gracefully with the loss of a cookie.  [TODO: Could
738	   mention latency issues that arise from having tons of cookies.]

740	6.2.1.  Denial of Service Attacks

742	   User agents may choose to set an upper bound on the number of cookies
743	   to be stored from a given host or domain name or on the size of the
744	   cookie information.  Otherwise, a malicious server could attempt to
745	   flood a user agent with many cookies, or large cookies, on successive
746	   responses, which would force out cookies the user agent had received
747	   from other servers.  However, the minima specified above should still
748	   be supported.  [TODO: These minima still let an attacker exhaust the
749	   entire cookie store.  There's not much we can do about it though.]

751	7.  Privacy

753	7.1.  User Agent Control

755	   An origin server could create a Set-Cookie header to track the path
756	   of a user through the server.  Users may object to this behavior as
757	   an intrusive accumulation of information, even if their identity is
758	   not evident.  (Identity might become evident if a user subsequently
759	   fills out a form that contains identifying information.)  This state
760	   management specification therefore requires that a user agent give
761	   the user control over such a possible intrusion, although the
762	   interface through which the user is given this control is left
763	   unspecified.  However, the control mechanisms provided shall at least
764	   allow the user

766	   o  to completely disable the sending and saving of cookies,

768	   o  to determine whether a stateful session is in progress, and

770	   o  to control the saving of a cookie on the basis of the cookie's
771	      Domain attribute.

773	   Such control could be provided by, for example, mechanisms

775	   o  to notify the user when the user agent is about to send a cookie
776	      to the origin server, offering the option not to begin a session,

778	   o  to display a visual indication that a stateful session is in
779	      progress,

781	   o  to let the user decide which cookies, if any, should be saved when
782	      the user concludes a window or user agent session, or

784	   o  to let the user examine the contents of a cookie at any time.

786	   A user agent usually begins execution with no remembered state
787	   information.  It should be possible to configure a user agent never
788	   to send Cookie headers, in which case it can never sustain state with
789	   an origin server.  (The user agent would then behave like one that is
790	   unaware of how to handle Set-Cookie response headers.)

792	   When the user agent terminates execution, it should let the user
793	   discard all state information.  Alternatively, the user agent may ask
794	   the user whether state information should be retained.  If the user
795	   chooses to retain state information, it would be restored the next
796	   time the user agent runs.

798	7.2.  Protocol Design

800	   The restrictions on the value of the Domain attribute are meant to
801	   reduce the ways that cookies can "leak" to the "wrong" site.  The
802	   intent is to restrict cookies to one, or a closely related set of
803	   hosts.  Therefore a request-host is limited as to what values it can
804	   set for Domain.

806	8.  Security Considerations

808	8.1.  Clear Text

810	   The information in the Set-Cookie and Cookie headers is transmitted
811	   in the clear.  Three consequences are:

813	   1.  Any sensitive information that is conveyed in in the headers is
814	       exposed to an easedropper.

816	   2.  A malicious intermediary could alter the headers as they travel
817	       in either direction, with unpredictable results.

819	   3.  A malicious client could alter the Cookie header before
820	       transmission, with unpredictable results.

822	   These facts imply that information of a personal and/or financial
823	   nature should be sent over a secure channel.  For less sensitive
824	   information, or when the content of the header is a database key, an
825	   origin server should be vigilant to prevent a bad Cookie value from
826	   causing failures.

828	8.2.  Cookie Spoofing

830	   [TODO: Mention integrity issue where a sibling domain can inject
831	   cookies.]

833	   [TODO: Mention integrity issue where a HTTP can inject cookies into
834	   HTTPS.]

836	8.3.  Unexpected Cookie Sharing

838	   A user agent should make every attempt to prevent the sharing of
839	   session information between hosts that are in different domains.
840	   Embedded or inlined objects may cause particularly severe privacy
841	   problems if they can be used to share cookies between disparate
842	   hosts.  For example, a malicious server could embed cookie
843	   information for host a.com in a URI for host b.com.  User agent
844	   implementors are strongly encouraged to prevent this sort of exchange
845	   whenever possible.  [TODO: How are they supposed to do this?  This
846	   section makes little sense.]

848	9.  Other, Similar, Proposals

850	   [TODO: Describe relation to the Netscape Cookie Spec, RFC 2109, RFC
851	   2629, and cookie-v2.]

853	Appendix A.  Acknowledgements

855	   This document borrows heavily from RFC 2109.  [TODO: Figure out the
856	   proper way to credit the authors of RFC 2109.]

858	Author's Address

860	   Adam Barth
861	   University of California, Berkeley

863	   Email: abarth@eecs.berkeley.edu
864	   URI:   http://www.adambarth.com/