IETF Logo Mail Archive

Re: [http-state] One last attempt to get y'all to like the idea of a non-inclusive Set-Cookie design

Mark Pauley <mpauley@apple.com> Thu, 18 November 2010 20:59 UTC

Return-Path: <mpauley@apple.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AD1BD3A68E6 for <http-state@core3.amsl.com>; Thu, 18 Nov 2010 12:59:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VgcFh0bvu2Tm for <http-state@core3.amsl.com>; Thu, 18 Nov 2010 12:59:12 -0800 (PST)
Received: from mail-out4.apple.com (mail-out.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 8F01E3A68CF for <http-state@ietf.org>; Thu, 18 Nov 2010 12:59:12 -0800 (PST)
Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out4.apple.com (Postfix) with ESMTP id DCEFDBE3A53A; Thu, 18 Nov 2010 13:00:00 -0800 (PST)
X-AuditID: 11807134-b7bd1ae000004fc6-ef-4ce593d05a1c
Received: from paulma.apple.com (paulma.apple.com [17.203.12.155]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by relay14.apple.com (Apple SCV relay) with SMTP id 9F.D9.20422.0D395EC4; Thu, 18 Nov 2010 13:00:00 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="windows-1252"
From: Mark Pauley <mpauley@apple.com>
In-Reply-To: <AANLkTinfDu8SEJC8yd+q8dCOMOROpsBtOcgos4kTs=y3@mail.gmail.com>
Date: Thu, 18 Nov 2010 13:00:00 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <B558AA9B-6879-4730-B85F-AF9C06F60399@apple.com>
References: <AANLkTinfDu8SEJC8yd+q8dCOMOROpsBtOcgos4kTs=y3@mail.gmail.com>
To: Paul James Hammant <phammant@thoughtworks.com>
X-Mailer: Apple Mail (2.1082)
X-Brightmail-Tracker: AAAAAA==
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] One last attempt to get y'all to like the idea of a non-inclusive Set-Cookie design
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 20:59:13 -0000

Honestly, while we've discussed this idea before (that we are wasting resources sending a server state for a stateless resource), I think that adding complexity to the cookies design is not a great way to go.

There's a saying that I think is applicable here: You've got a problem, so you try to solve it using regular expressions.  Now you have two problems.



Why not partition your site either into two domains (one with static content, one without) or into two directories.

/static
/dynamic

- set the cookies for these two paths and you'll get your same result tomorrow instead of whenever your RFC addition is approved.


Here's my best argument: nobody can even get the current cookie RFC's implemented correctly.  Why would adding a complicated 'not-path' semantic work?  Let's just stick with codifying the current lowest-common-denominator behavior of all major browsers and pickle cookies going forward.  If we need to do something cookies can't do, use it as an opportunity to kill cookies.

My advice for you right now is to set minimal cookies and make all of the smarts on your backend where you have control.


On Nov 18, 2010, at 11:54 AM, Paul James Hammant wrote:

> Refer - http://paulhammant.com/blog/not-path-cookies.html
> 
> It is a modification to my proposal last month; Better this time based
> on the comments in this mail list when I last proposed it. I also
> reference the Michal Zalewski blog posting critical of cookies
> 
> I think it is even more relevant given the
> http://www.eff.org/pages/how-deploy-https-correctly posting from three
> days ago where the EFF suggests no more mixed content (see below).
> 
> -Paul
> 
> From the EFF blog entry:
> 
> ** Mixed Content **
> 
> When hosting an application over HTTPS, there can be no mixed content;
> that is, all content in the page must be fetched via HTTPS. It is
> common to see partial HTTPS support on sites, in which the main pages
> are fetched via HTTPS but some or all of the media elements,
> stylesheets, and JavaScript in the page are fetched via HTTP.
> 
> This is unsafe because although the main page load is protected
> against active and passive network attack, none of the other resources
> are. If a page loads some JavaScript or CSS code via HTTP, an attacker
> can provide a false, malicious code file and take over the page’s DOM
> once it loads. Then, the user would be back to a situation of having
> no security. This is why all mainstream browsers warn users about
> pages that load mixed content. Nor is it safe to reference images via
> HTTP: What if the attacker swapped the Save Message and Delete Message
> icons in a webmail app?
> 
> You must serve the entire application domain over HTTPS. Redirect HTTP
> requests with HTTP 301 or 302 responses to the equivalent HTTPS
> resource.
> 
> Some site operators provide only the login page over HTTPS, on the
> theory that only the user’s password is sensitive. These sites’ users
> are vulnerable to passive and active attack.
> _______________________________________________
> http-state mailing list
> http-state@ietf.org
> https://www.ietf.org/mailman/listinfo/http-state

_Mark
mpauley@apple.com

v2.23.0 | Report a Bug | By Email