Re: [http-state] Ticket 5: Cookie ordering

[Achim Hoffmann <ah@securenet.de>]

Hi all,

even I'm listening to the list since the beginning, I'd kept quit 'cause
my main interest is about cookies and web application security.

Anyway, it's time to speak as the cookie oder/sequence seems to be a
mystery since ages. See my question years back and still no answer
(except those in this list now:)
	http://www.webappsec.org/lists/websecurity/archive/2005-11/msg00097.html

'til now we got a clear statement from Opera (thanks Yngve), but there're
more  browser vendors on the list. What is so difficult to make a clear
and undoubtfull statement how it works in each browser?

The cookie sequence is really important as I'm aware of some serious
attacks (miss)using this sequence.
It needs to be fixed, so we can tell application developers how to deal
with a list of cookies with the same name (unless someone implements
Cookie2 in major browsers again:)

My vote for a sequence (with security in mind) would be:
  1. most qualified first
    a) protocol, always all HTTPS before HTTP (exception see e))
    b) FQDN (domains MUST be IDN, other characters MUST be transformed to IDN)
    c) port
    d) path
    e) secure Flag
    f) timestamp
    g) wildcard (domain) cookies at very last
  2. above order MUST not change if the browser's cookie store is
     overflowed

Do I miss something?
Cheers,
Achim



Yngve Nysaeter Pettersen wrote on 08.02.2010 17:19:
> On Fri, 05 Feb 2010 13:56:58 +0100, Yngve Nysaeter Pettersen
> <yngve@opera.com> wrote:
>> IOW, if ordering is determined by anything but the domain and path the
>> sequence of cookie is going to vary depending on which servers the
>> clients visits and the sequence it visits them, and this might cause
>> significant problems for a server that considers ordering significant.
> 
> Some testing by a couple of my colleagues setting two cookies with the
> same name (and path) "host-only" and "domain-wide" have found the
> following in browsers other than Opera:
> 
> -----
> Visit order: Host-only, domain-wide
> Cookie order:  "host-only", "domain-wide"
> -----
> 
> -----
> Visit order: domain-wide, Host-only
> Cookie order (IE):  "host-only", "domain-wide"
> Cookie order (Others): "domain-wide", "host-only"
> -----
> 
> To me it looks like IE is sorting by domain, at the same path level,
> with FF and Safari (the two tested) sort on creation data.
> 
> The consequence is that there is apparently three deployed ways to send
> cookies:
> 
>    - Cookies at the same path level are grouped and sorted by creation
> date, earliest first (FF&co)
>    - Cookies at the same path level are grouped and sorted by domain,
> most specific first (IE)
>    - Cookies are grouped by domain (most specific first), then sorted by
> path (most specific first) within each domain (Opera)
> 
> IMO the creation date method is less predictable than the other two, and
> will cause problems for sites depending on a specific sequence of cookies.
> 
> My suggestion would be that the spec should recommend ordering an
> ordering based on on both domain and path (order of preference to be
> decided), as that will be more predictable for sites using multiple
> cookies with the same name at various domain and path levels.
>