[http-state] Cookie login security inconsistency

"Shelby Moore" <shelby@coolpage.com> Wed, 25 August 2010 17:03 UTC

Return-Path: <shelby@coolpage.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id CF1B43A6B54 for <http-state@core3.amsl.com>; Wed, 25 Aug 2010 10:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.345
X-Spam-Status: No, score=-2.345 tagged_above=-999 required=5 tests=[AWL=0.254, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id RVfMjOfD1in7 for <http-state@core3.amsl.com>; Wed, 25 Aug 2010 10:03:41 -0700 (PDT)
Received: from www2.webmail.pair.com (www2.webmail.pair.com []) by core3.amsl.com (Postfix) with SMTP id 2012D3A6A43 for <http-state@ietf.org>; Wed, 25 Aug 2010 10:03:41 -0700 (PDT)
Received: (qmail 23639 invoked by uid 65534); 25 Aug 2010 17:04:11 -0000
Received: from ([]) (SquirrelMail authenticated user shelby@coolpage.com) by sm.webmail.pair.com with HTTP; Wed, 25 Aug 2010 13:04:11 -0400
Message-ID: <23e5b79de37d3b7ccfa8f85f6a5de360.squirrel@sm.webmail.pair.com>
Date: Wed, 25 Aug 2010 13:04:11 -0400
From: "Shelby Moore" <shelby@coolpage.com>
To: http-state@ietf.org
User-Agent: SquirrelMail/1.4.20
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: [http-state] Cookie login security inconsistency
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: shelby@coolpage.com
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2010 17:03:42 -0000

Some of you know me already from the Hybi WG (WebSockets), so no need to
introduce myself.

Please introduce to the record here, one specific inconsistency from prior
cookies standard for best practices:


Also I would like to introduce the entire linked page above to the record
of input to this WG. I notice that Mozilla appears to agree with me on the
solution or way to proceed:


I am happy to see some people are working on the problem of http-state and
I hope with an intent of closing the security holes.

Good luck with this.  I wish you all the best.

Please note I am not joining this WG and will be unsubscribed after this
post. Please remove my email address from any replies to this mailing
list. If I have something else important to contribute, I will come back
in the future.