| draft-ietf-httpbis-rfc6265bis-21.txt | draft-ietf-httpbis-rfc6265bis-latest.txt | |||
|---|---|---|---|---|
| HTTP Working Group S. Bingler, Ed. | HTTP Working Group S. Bingler, Ed. | |||
| Internet-Draft | Internet-Draft | |||
| Obsoletes: 6265 (if approved) M. West, Ed. | Obsoletes: 6265 (if approved) M. West, Ed. | |||
| Intended status: Standards Track Google LLC | Intended status: Standards Track Google LLC | |||
| Expires: March 28, 2026 J. Wilander, Ed. | Expires: April 2, 2026 J. Wilander, Ed. | |||
| Apple, Inc | Apple, Inc | |||
| September 24, 2025 | September 29, 2025 | |||
| Cookies: HTTP State Management Mechanism | Cookies: HTTP State Management Mechanism | |||
| draft-ietf-httpbis-rfc6265bis-21 | draft-ietf-httpbis-rfc6265bis-latest | |||
| Abstract | Abstract | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| These header fields can be used by HTTP servers to store state | These header fields can be used by HTTP servers to store state | |||
| (called cookies) at HTTP user agents, letting the servers maintain a | (called cookies) at HTTP user agents, letting the servers maintain a | |||
| stateful session over the mostly stateless HTTP protocol. Although | stateful session over the mostly stateless HTTP protocol. Although | |||
| cookies have many historical infelicities that degrade their security | cookies have many historical infelicities that degrade their security | |||
| and privacy, the Cookie and Set-Cookie header fields are widely used | and privacy, the Cookie and Set-Cookie header fields are widely used | |||
| on the Internet. This document obsoletes RFC 6265. | on the Internet. This document obsoletes RFC 6265. | |||
| skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 28, 2026. | This Internet-Draft will expire on April 2, 2026. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2025 IETF Trust and the persons identified as the | Copyright (c) 2025 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 47 ¶ | skipping to change at page 3, line 47 ¶ | |||
| 6.2. Application Programming Interfaces . . . . . . . . . . . 43 | 6.2. Application Programming Interfaces . . . . . . . . . . . 43 | |||
| 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 44 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 44 | |||
| 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 45 | 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 45 | |||
| 7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 45 | 7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 46 | 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 46 | |||
| 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 46 | 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 46 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 46 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 46 | |||
| 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 47 | 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 47 | |||
| 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 47 | 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 47 | |||
| 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 48 | 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 48 | |||
| 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 48 | 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 49 | |||
| 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 49 | 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 49 | |||
| 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 50 | 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 50 | |||
| 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 51 | 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 51 | |||
| 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 51 | 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 51 | |||
| 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 51 | 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 51 | |||
| 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 51 | 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 51 | |||
| 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 52 | 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 52 | |||
| 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 52 | 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 52 | |||
| 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 52 | 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 53 | |||
| 8.8.6. Top-level requests with "unsafe" methods . . . . . . 53 | 8.8.6. Top-level requests with "unsafe" methods . . . . . . 53 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54 | |||
| 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 54 | 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
| 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 54 | 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
| 9.3. "Cookie Attributes" Registry . . . . . . . . . . . . . . 55 | 9.3. "Cookie Attributes" Registry . . . . . . . . . . . . . . 55 | |||
| 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 55 | 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 55 | |||
| 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 55 | 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 55 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 55 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 56 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 55 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 56 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 57 | 10.2. Informative References . . . . . . . . . . . . . . . . . 57 | |||
| 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 59 | 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 59 | |||
| Appendix A. Changes from RFC 6265 . . . . . . . . . . . . . . . 59 | Appendix A. Changes from RFC 6265 . . . . . . . . . . . . . . . 59 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 60 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 60 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| Using the Set-Cookie header field, an HTTP server can pass name/value | Using the Set-Cookie header field, an HTTP server can pass name/value | |||
| skipping to change at page 47, line 22 ¶ | skipping to change at page 47, line 22 ¶ | |||
| session identifiers in cookies, developers often create session | session identifiers in cookies, developers often create session | |||
| fixation vulnerabilities. | fixation vulnerabilities. | |||
| Transport-layer encryption, such as that employed in HTTPS, offers a | Transport-layer encryption, such as that employed in HTTPS, offers a | |||
| significant layer of defense against network attacks on cookies. | significant layer of defense against network attacks on cookies. | |||
| However, it is insufficient in fully preventing a networking attacker | However, it is insufficient in fully preventing a networking attacker | |||
| from obtaining or altering a victim's cookies because of inherent | from obtaining or altering a victim's cookies because of inherent | |||
| vulnerabilities in the cookie protocol itself (see "Weak | vulnerabilities in the cookie protocol itself (see "Weak | |||
| Confidentiality" and "Weak Integrity", below). In addition, by | Confidentiality" and "Weak Integrity", below). In addition, by | |||
| default, cookies do not provide confidentiality or integrity from | default, cookies do not provide confidentiality or integrity from | |||
| network attackers, even when used in conjunction with HTTPS. | network attackers, even when used in conjunction with HTTPS. This | |||
| means that a cookie needs to explicitly specify any protective | ||||
| attributes. For example, the cookie: | ||||
| "Set-Cookie: a=b" | ||||
| doesn't specify the Secure attribute and will therefore be accessible | ||||
| on both secure and insecure connections, regardless of the original | ||||
| connection type it was created on. This behavior could allow an | ||||
| attacker to read or modify the cookie. | ||||
| 8.2. Ambient Authority | 8.2. Ambient Authority | |||
| A server that uses cookies to authenticate users can suffer security | A server that uses cookies to authenticate users can suffer security | |||
| vulnerabilities because some user agents let remote parties issue | vulnerabilities because some user agents let remote parties issue | |||
| HTTP requests from the user agent (e.g., via HTTP redirects or HTML | HTTP requests from the user agent (e.g., via HTTP redirects or HTML | |||
| forms). When issuing those requests, user agents attach cookies even | forms). When issuing those requests, user agents attach cookies even | |||
| if the remote party does not know the contents of the cookies, | if the remote party does not know the contents of the cookies, | |||
| potentially letting the remote party exercise authority at an unwary | potentially letting the remote party exercise authority at an unwary | |||
| server. | server. | |||
| End of changes. 8 change blocks. | ||||
| 9 lines changed or deleted | 18 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||