Re: [http-state] Welcome to http-state

"Blake Frantz" <> Mon, 12 January 2009 21:47 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 33C533A6946; Mon, 12 Jan 2009 13:47:48 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 57DF53A696D for <>; Mon, 12 Jan 2009 13:47:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aDtRZUDkztQ2 for <>; Mon, 12 Jan 2009 13:47:45 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 77D583A693E for <>; Mon, 12 Jan 2009 13:47:44 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 12 Jan 2009 16:47:22 -0500
Message-ID: <120206B6A348CA498C70E738A2E963514C0CD2@Nexus.cisecurity.lan>
In-Reply-To: <>
Thread-Topic: [http-state] Welcome to http-state
Thread-Index: Acl08HTtJOrd/3oZSaOgWwnmulaLWgAAFdpA
References: <><120206B6A348CA498C70E738A2E963514C0CCC@Nexus.cisecurity.lan> <>
From: Blake Frantz <>
To: Discuss HTTP State Management Mechanism <>
Subject: Re: [http-state] Welcome to http-state
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Discuss HTTP State Management Mechanism <>
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Agreed that cross-scheme clobbering is historically allowed by user
agents. However, clobbering a cookie is different than causing a cookie
to be evicted. The former impacts the integrity of the cookie while the
latter impacts cookie availability. The purpose of an anti-clobber
mechanism is to protect the integrity of the Secure cookie. To be
effective, the user agent must treat cookies of the same origin
(domain-match + path-match) and NAME distinctly if their schemes differ.
This implies adding a scheme-match check to the user agent. I see such a
mechanism as a defense in depth measure - akin to HttpOnly. I'm
interested in hearing what everyone thinks about the utility of such a


-----Original Message-----
From: []
On Behalf Of Adam Barth
Sent: Monday, January 12, 2009 12:00 PM
To: Discuss HTTP State Management Mechanism
Subject: Re: [http-state] Welcome to http-state

On Mon, Jan 12, 2009 at 11:51 AM, Blake Frantz <>
> 1. While RFC2109 and draft-pettersen-cookie-v2-03.txt define the
> 'Secure' cookie-av to advise the user-agent against sending the cookie
> over an insecure transport they do not define the desired user-agent
> behavior for cross scheme writing. For example,
> clobbering a cookie set by

Historically, cross-scheme clobbering has been allowed by user agents
because it is impossible to prevent with a bounded amount of storage
(due to eviction of Secure cookies).

http-state mailing list
http-state mailing list