IETF Logo Mail Archive

Re: Cookies and schemes.

Willy Tarreau <w@1wt.eu> Tue, 10 March 2020 03:43 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C58B3A0EB9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 9 Mar 2020 20:43:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.652
X-Spam-Level:
X-Spam-Status: No, score=-2.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4fpF5UyFlLRb for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 9 Mar 2020 20:43:26 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94C693A0EB7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 9 Mar 2020 20:43:26 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jBVkk-00031M-0U for ietf-http-wg-dist@listhub.w3.org; Tue, 10 Mar 2020 03:40:22 +0000
Resent-Date: Tue, 10 Mar 2020 03:40:22 +0000
Resent-Message-Id: <E1jBVkk-00031M-0U@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <w@1wt.eu>) id 1jBVke-00030b-2h for ietf-http-wg@listhub.w3.org; Tue, 10 Mar 2020 03:40:16 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by titan.w3.org with esmtp (Exim 4.92) (envelope-from <w@1wt.eu>) id 1jBVkb-0000Jj-VE for ietf-http-wg@w3.org; Tue, 10 Mar 2020 03:40:15 +0000
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 02A3dvjw017997; Tue, 10 Mar 2020 04:39:57 +0100
Date: Tue, 10 Mar 2020 04:39:57 +0100
From: Willy Tarreau <w@1wt.eu>
To: Martin Thomson <mt@lowentropy.net>
Cc: ietf-http-wg@w3.org
Message-ID: <20200310033957.GA17977@1wt.eu>
References: <CAKXHy=d260V9_63yNBwLjDG=upZ+HG3iJ8hKbnFc0KU7fCbVcQ@mail.gmail.com> <110aa602-33bd-4fbf-b3af-c5530d95fc44@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <110aa602-33bd-4fbf-b3af-c5530d95fc44@www.fastmail.com>
User-Agent: Mutt/1.6.1 (2016-04-27)
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-4.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jBVkb-0000Jj-VE d6d645719ef68d560c9df3430b2942d0
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Cookies and schemes.
Archived-At: <https://www.w3.org/mid/20200310033957.GA17977@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37429
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Mar 10, 2020 at 09:02:25AM +1100, Martin Thomson wrote:
> On Mon, Mar 9, 2020, at 19:51, Mike West wrote:
> > https://github.com/mikewest/scheming-cookies proposes two changes:
> > 
> > 1. We teach cookies about schemes, and lock them to the scheme that set 
> > them (just like every other web-facing storage mechanism).
> 
> Excellent!
> 
> To Willy's point about transfer, perhaps we can allow any cookies that are set on an http:// response to follow a redirect to https://

Maybe that can work.

>  The Sec-Nonsecure-Cookie header field seems like it might not be great long term.

I don't believe in adding attributes to legacy applications anyway. If they
rely on older mechanisms it's because they cannot be changed, and it's not
by changing default behavior that we'll make them suddenly capable of adapting
their code to emit new cookie attributes.

> Tf the goal is to support temporally-constrained transfer, then binding the
> cookies to the redirect avoids pulling from previous state.  Also, the
> redirector could have just packed this information into the target URL, so
> it's not a new tracking vector.

Absolutely.

> Have I missed a key piece of information?  Willy, could this work in the
> cases you understand?

I think it can, yes, but it would still require some infrastructure
adaptations, and by default could degrade the behavior over HTTPS by
forcing to always append a cookie in response. The typical case I'm
thinking about is the following sequence:

  1) client connects over HTTP to example.com
  2) the load balancer doesn't find a cookie, applies the load balancing
     algorithm and forwards the request to server #1
  3) server responds, load balancer appends cookie "SERVER=srv01" to the
     response
  4) client makes a few more HTTP requests presenting "SERVER=srv01",
     which the LB spots and continues to pass to server #1. Since the
     client presents the cookie, the LB doesn't append it on new responses.
  5) one such response is now a 302, client then sends a request over
     HTTPS, still presenting the cookie "SERVER=srv01". The load balancer
     sees it and forwards it to the server and doesn't append it on response.

Past this point, if the client stops presenting the cookie, we'll lose the
binding. I'm still not clear on how to address this without systematically
appending a cookie to responses, which is bad. We're exactly in the situation
where I was thinking that it would be nice to have the ability for the client
to signal the server "I'm going to expire this cookie, please renew it if
still needed".

Maybe the right approach would be to change the default behavior with a
new attribute. Currently without any attribute the cookie is presented
to both schemes, while with the secure attribute it's presented only to
HTTPS. By having an explicit such as "secure-and-insecure" or something
like this, we could have load balancers explicitly set this one for
server affinity, and let the client present it to both HTTP and HTTPS.
Then with this, we could stop presenting an HTTP-learned cookie over
HTTPS at all by default.

Just my two cents,
Willy

v2.23.0 | Report a Bug | By Email