cookies - state management improvment
Rafal Pietrak <cookie.rp@ztk-rp.eu> Tue, 23 March 2021 10:37 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CD4E3A0CA0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 23 Mar 2021 03:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=ztk-rp.eu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eONGh_XJEsZx for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 23 Mar 2021 03:37:18 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D634D3A0C9F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 23 Mar 2021 03:37:18 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1lOeMu-0007iF-82 for ietf-http-wg-dist@listhub.w3.org; Tue, 23 Mar 2021 10:34:36 +0000
Resent-Date: Tue, 23 Mar 2021 10:34:36 +0000
Resent-Message-Id: <E1lOeMu-0007iF-82@lyra.w3.org>
Received: from www-data by lyra.w3.org with local (Exim 4.92) (envelope-from <cookie.rp@ztk-rp.eu>) id 1lOeMs-0007fY-65 for ietf-http-wg@listhub.w3.org; Tue, 23 Mar 2021 10:34:34 +0000
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <cookie.rp@ztk-rp.eu>) id 1lOIlb-0005tQ-G7 for ietf-http-wg@listhub.w3.org; Mon, 22 Mar 2021 11:30:39 +0000
Received: from hax2-04.wsisiz.edu.pl ([213.135.44.188] helo=zorro.ztk-rp.eu) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <cookie.rp@ztk-rp.eu>) id 1lOIlZ-0005HQ-8t for ietf-http-wg@w3.org; Mon, 22 Mar 2021 11:30:39 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ztk-rp.eu; s=2024; h=Subject:Content-Transfer-Encoding:Content-Type:MIME-Version:Date: Message-ID:From:To:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=KAmwqU8WYv/x+xHQfkgNCWvueMlxn+HFIqolcdW2XHI=; b=e1ESoEyTPv0h4jOsrc8dSzyQkY 4D7gEBM9YCUcwRRqhu7jrJQUhhaHRjQeebda053F761AJp6YCnhH+sCiqtCcq1phMMc6wiao9lmmv XoubjXRjj4Rj7189nEv53xSSu4okm3waXZO85L0UEW72q4HI6BtGaC01wp8b0JnUfikc=;
Received: from [83.17.179.218] (port=42656 helo=[192.168.1.52]) by zorro.ztk-rp.eu with esmtpsa (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <cookie.rp@ztk-rp.eu>) id 1lOIlJ-0003Tq-5f for ietf-http-wg@w3.org; Mon, 22 Mar 2021 12:30:22 +0100
To: ietf-http-wg@w3.org
From: Rafal Pietrak <cookie.rp@ztk-rp.eu>
Message-ID: <feb70c12-7841-776a-a9dd-defcc00ee7d4@ztk-rp.eu>
Date: Mon, 22 Mar 2021 12:30:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 83.17.179.218
X-SA-Exim-Mail-From: cookie.rp@ztk-rp.eu
X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000)
X-SA-Exim-Scanned: Yes (on zorro.ztk-rp.eu)
Received-SPF: pass client-ip=213.135.44.188; envelope-from=cookie.rp@ztk-rp.eu; helo=zorro.ztk-rp.eu
X-W3C-Hub-DKIM-Status: validation passed: (address=cookie.rp@ztk-rp.eu domain=ztk-rp.eu), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1lOIlZ-0005HQ-8t e3e4db5ae06450450dbe6c1e68093764
X-caa-id: 3ec7aec59f
X-Original-To: ietf-http-wg@w3.org
Subject: cookies - state management improvment
Archived-At: <https://www.w3.org/mid/feb70c12-7841-776a-a9dd-defcc00ee7d4@ztk-rp.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38658
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hello the list, Some time ago, I have submitted a draft proposal introducing way to limit the visibility of cookies within user web-browser (https://datatracker.ietf.org/doc/draft-pietrak-cookie-scope/). I was informed by independent draft editor, that any proposal to ietf standards does not get traction automatically by means of draft publication (despite my first impression), but should rather be introduced and discussed here on this list. SO, I'd like to bring up a problem, which my proposal attempts to solve, which is the following: 1. computer users - even unconciously - do focus on a particular work context by selecting an application WEB/MAIL/DOC/etc. 2. this goes somewhat further, when user selects DOC context (working with word processor), but opens simultaneously different documents: an annual financial report; a fragment of legal code; or user complain. 3. doing such work in "cloud" environment, this often means logging in with different credentials to different systems: corporate-internal-site, legal-firm-external, call-center-external. Those sites will require different credentials to access them, but are accessed "simultaneously" on side-by-side windows or tabs of a browser. 4. IT people do work with separate contexts like separate servers being access by one person, again: often with different credentials. 5. Unfortunately, separate context in web-browser world is achieved by separate URL - such separate "contexts" users work with simultaneously using separate windows and/or tags-of-window. Separate windows/tabs don't separate context as viewd from "state management" perspective - cookies perspective. 6. on the other hand, cookies were devised for the purpose of "state management", but since they are shared within a browser, one has to use separate URL to allow for context separation at the level of login session separation. This is neither aestetical nor insecure. But I think that adding one optional attribute to cookies could support context separation of web browser window tabs more elegant then unique (and looking as random string) URL diversification. I'd happily present more evidence and more arguments for the proposed cookie attribute, should there be any interest on the list to investigate the problem. With best regards, -- RafaĆ Pietrak
- cookies - state management improvment Rafal Pietrak