[http-state] Intermediate proxy servers and Set-Cookie/Cookie headers

"Rich, Anthony" <arich@dingo.com> Thu, 03 February 2011 03:35 UTC

Return-Path: <arich@dingo.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5ED343A67B4 for <http-state@core3.amsl.com>; Wed, 2 Feb 2011 19:35:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_45=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gD48CaJiH02X for <http-state@core3.amsl.com>; Wed, 2 Feb 2011 19:35:29 -0800 (PST)
Received: from gateout02.mbox.net (gateout02.mbox.net [165.212.64.22]) by core3.amsl.com (Postfix) with ESMTP id 741F03A6778 for <http-state@ietf.org>; Wed, 2 Feb 2011 19:35:29 -0800 (PST)
Received: from gateout02.mbox.net (gwo2-lo [127.0.0.1]) by gateout02.mbox.net (Postfix) with ESMTP id 2C69B410901 for <http-state@ietf.org>; Thu, 3 Feb 2011 03:38:50 +0000 (GMT)
X-USANET-Received: from gateout02.mbox.net [127.0.0.1] by gateout02.mbox.net via mtad (C8.MAIN.3.72B) with ESMTP id 140PBcDMW0224Mo2; Thu, 03 Feb 2011 03:38:48 -0000
Received: from s1hub3.EXCHPROD.USA.NET [165.212.120.254] by gateout02.mbox.net via smtad (C8.MAIN.3.72B) with ESMTPS id XID173PBcDMW5354Xo2; Thu, 03 Feb 2011 03:38:48 -0000
X-USANET-Source: 165.212.120.254 IN arich@dingo.com s1hub3.EXCHPROD.USA.NET
X-USANET-MsgId: XID173PBcDMW5354Xo2
Received: from MBX18.EXCHPROD.USA.NET ([169.254.1.99]) by s1hub3.EXCHPROD.USA.NET ([10.120.220.33]) with mapi; Thu, 3 Feb 2011 03:36:45 +0000
From: "Rich, Anthony" <arich@dingo.com>
To: "http-state@ietf.org" <http-state@ietf.org>
Date: Thu, 3 Feb 2011 03:36:30 +0000
Thread-Topic: Intermediate proxy servers and Set-Cookie/Cookie headers
Thread-Index: AcvDU4vkv5PE8Fq4QYGIycFKRpklyQ==
Message-ID: <BD4AD72144E7434EACE523A2C2F835F7082032F40D@MBX18.EXCHPROD.USA.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-cr-hashedpuzzle: th4= AkJh A/PC BEwQ BI9Y CT7G CtSF DM5I Df/1 FJ+A FUUZ Fec4 FqEk F84e GkP9 HHET; 1; aAB0AHQAcAAtAHMAdABhAHQAZQBAAGkAZQB0AGYALgBvAHIAZwA=; Sosha1_v1; 7; {754BF981-FEF4-4524-ADB5-ED2C1D107126}; YQByAGkAYwBoAEAAZABpAG4AZwBvAC4AYwBvAG0A; Thu, 03 Feb 2011 03:36:30 GMT; SQBuAHQAZQByAG0AZQBkAGkAYQB0AGUAIABwAHIAbwB4AHkAIABzAGUAcgB2AGUAcgBzACAAYQBuAGQAIABTAGUAdAAtAEMAbwBvAGsAaQBlAC8AQwBvAG8AawBpAGUAIABoAGUAYQBkAGUAcgBzAA==
x-cr-puzzleid: {754BF981-FEF4-4524-ADB5-ED2C1D107126}
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [http-state] Intermediate proxy servers and Set-Cookie/Cookie headers
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Feb 2011 03:37:11 -0000

Hello,

In RFC 2109 HTTP State Management Mechanism, 4.5  Caching Proxy Role it says:
   Proxies must not introduce Set-Cookie (Cookie) headers of their own
   in proxy responses (requests).

And again in RFC 2965 HTTP State Management Mechanism, 3.5  Caching Proxy Role it says:
   Proxies MUST NOT introduce Set-Cookie2 (Cookie) headers of their own
   in proxy responses (requests).

When examining user-agent log files from one of our clients recently I started noticing HTTP responses like this:
   HTTP/1.1 407 Proxy Authentication Required
   Proxy-Authenticate: NTLM,BASIC realm="W2K"
   Cache-Control: no-cache
   Pragma: no-cache
   Content-Type: text/html; charset=utf-8
   Proxy-Connection: close
   Set-Cookie: BCSI-CS-D0616EFC8C0A61B2=2; Path=/
   Connection: close
   Content-Length: 818

Note that this is coming from an intermediate proxy, not an origin server, and yet it has a Set-Cookie header.

At the moment I am trying to get in contact with the proxy vendor but I wanted to confirm that proxies should not be setting cookies and that there is no RFC being prepared that allows it.

I can see all sorts of issues with this, but the big three for me are:
1. poisoning of origin server cookies (due to name collisons)
2. unintended expulsion of legitimate cookies from user agents' cookie jars (due per domain limits, for example).
3. potential for problems with poorly-implemented applications on origin servers (unexpected cookies that they themselves have not issued). Since there is currently no way for user agents to distinguish between origin server cookies and proxy server cookies user agents would likely send this cookie with every request on this domain and the origin server would see it if the proxy server does not filter it.

Am I being unnecessarily concerned?

Thanks in advance,
Anthony.