Re: [http-state] Welcome to http-state

Bil Corry <> Wed, 14 January 2009 03:24 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id BBC8628C199; Tue, 13 Jan 2009 19:24:08 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id A0AA13A69AD for <>; Tue, 13 Jan 2009 19:24:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.971
X-Spam-Status: No, score=-3.971 tagged_above=-999 required=5 tests=[AWL=-2.836, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_47=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fCnsHUccB1Rt for <>; Tue, 13 Jan 2009 19:24:06 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 388C728C199 for <>; Tue, 13 Jan 2009 19:24:05 -0800 (PST)
Received: from [] ( []) by (Postfix) with ESMTP id 28E0919C086 for <>; Tue, 13 Jan 2009 21:23:46 -0600 (CST)
Message-ID: <>
Date: Tue, 13 Jan 2009 21:23:43 -0600
From: Bil Corry <>
User-Agent: Thunderbird (Windows/20081209)
MIME-Version: 1.0
To: Discuss HTTP State Management Mechanism <>
References: <> <120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan> <> <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan> <> <120206B6A348CA498C70E738A2E963514C0CD5@Nexus.cisecurity.lan> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.7
Subject: Re: [http-state] Welcome to http-state
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <>
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dan Winship wrote on 1/13/2009 11:11 AM: 
> The deliverable that some people want is an Informational RFC explaining
> how cookies are actually used *right now* (as opposed to "how we wish
> they worked"), with notes on areas of incompatibility, and discussion of
> known security problems.

We have to do this anyhow if we want a spec that will actually be used by the browser vendors.  Without it, we will not have any visibility to the impact our new spec will have on those who have to implement it, and our decisions will be unguided by reality.

> If we want to actually make cookies better,

We do.

> then we need to be careful
> to not just create yet-another-improved-cookie-spec-that-everyone-
> ignores (as Daniel Stenberg already noted). So there are two kinds of
> things we can do:
>     * Find ways to make cookies better that don't require web developers
>       to change their behavior. (Eg, draft-pettersen-dns-cookie-validate
>       and draft-pettersen-subtld-structure.)
>     * Find ways to make cookies better that we can somehow force/trick/
>       bribe web developers into using.

I don't think the first option will work; how many sites *still* do not use the Secure or HTTPOnly flags?  We have an education campaign in front of us no matter what we decide to do, so option two appears to be our fate regardless.

> One way to make the new spec compelling might be to add some feature
> that would be needed by some other useful spec like
> Cookie-based-HTTP-auth (draft-broyer-http-cookie-auth, currently being
> discussed on the ietf-http-auth list). Or to have new cookies integrate
> with HTML5 in some exciting way that old cookies wouldn't be able to.

We definitely should consider including draft-broyer-http-cookie-auth, and integrate Yngve's improvements as well.  My own personal desire is to see cookies offer three protections for Secure/HTTPOnly cookies:

(1) Confidentiality - using Secure/HTTPOnly to guard the contents of cookies.

(2) Integrity - protecting Secure/HTTPOnly cookies from clobbering/eviction/replacement.

(3) Privacy - protecting Secure/HTTPOnly cookies from even being discovered if it exists from an outside source.

In a world free from legacy, I'd even suggest Secure is the default for any cookie sent over HTTPS unless otherwise specified (NonSecure flag?), and HTTPOnly is the default for all cookies unless otherwise specified (Scriptable flag?).  That's why I had the thought of re-purposing Cookie2, changes like those could be made with little impact (an unqualified assumption).

> Likewise, even though it would be cleaner to scrap Set-Cookie and
> replace it with a new header a la Set-Cookie2, developers are going to
> want backward-compatibility, and don't want to have to set each cookie
> twice (for bandwidth reasons), so the best solution for new features may
> be to add new attributes to Set-Cookie (keeping in mind that old
> implementations would still see the cookies but would ignore the new
> attributes).

If the browser advertises that it supports the new cookie spec (Cookie2?), then the server could choose which Set-Cookie header to return.  Now that will add yet another header from the client, but I think another client header is needed anyhow for technologies such as Content Security Policy to advertise itself[1].  So I'd imagine something like:

	Accept-Language: en-us,en;q=0.5
	Accept-Encoding: gzip,deflate
	Accept-Charset: UTF-8,*
	Accept-Headers: Set-Cookie2,X-Content-Security-Policy

- Bil

[1] Content Security Policy -

Note that there's been some debate over whether CSP should advertise itself, and at this point in time, no decision has been made.  The discussion about it is here:

http-state mailing list