Proposal: Cookie Priorities

Mike West <mkwst@google.com> Thu, 03 March 2016 16:04 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DF861A1BED for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 3 Mar 2016 08:04:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.385
X-Spam-Level:
X-Spam-Status: No, score=-6.385 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.006, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a_tBA7DHte7k for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 3 Mar 2016 08:04:16 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02F9C1A1BD7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 3 Mar 2016 08:04:15 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1abVeb-0002uM-Sw for ietf-http-wg-dist@listhub.w3.org; Thu, 03 Mar 2016 15:59:05 +0000
Resent-Date: Thu, 03 Mar 2016 15:59:05 +0000
Resent-Message-Id: <E1abVeb-0002uM-Sw@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mkwst@google.com>) id 1abVeV-0002tW-RT for ietf-http-wg@listhub.w3.org; Thu, 03 Mar 2016 15:58:59 +0000
Received: from mail-lb0-f170.google.com ([209.85.217.170]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <mkwst@google.com>) id 1abVeP-0005Qm-Pv for ietf-http-wg@w3.org; Thu, 03 Mar 2016 15:58:59 +0000
Received: by mail-lb0-f170.google.com with SMTP id bc4so28660999lbc.2 for <ietf-http-wg@w3.org>; Thu, 03 Mar 2016 07:58:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc; bh=9eSrMQ4c7K6w2oloSpjpv3mAEi+nd9njccNrt0DAbQQ=; b=kcco/VoZ+PEgIvMM09t3uRiVMnPb31doBUJGdCNpFjUaQjIy1sov36rqCCqbtbOtZU p9CLpO//221J/oiOI55t3IPJHrJyTASwjlfd5qnyQ1JSqwW+E/znho7dJ2tsBO6ub3SM xA3ARXuqDMybCbwqUMlyCGb57YREDfrLjUsUOcgj6pYoNYW2ALqmEBSefR7qH0mvwQe3 EVbOg432i/2gbsPjQQiNn+2Knh3RcsmOfikA12bsnvXCWFgNtjXYlUtMYj2P1VVjDuRH ChL3LXAy0aZoG6EbNolh5cI7vTUGQzCKTaCM88DKmlEynbuW6IdchMwLIvj4kVowuRGA tB5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=9eSrMQ4c7K6w2oloSpjpv3mAEi+nd9njccNrt0DAbQQ=; b=X0TCZ3JpNPXVTmR4XQP4i6jSo9uHtJRG1pITVYcocInDeIDQeR8Kkraldho1256Lov Co23dvHYQ31NQOT7jy3M6bqjYGHXrILJ2am3Ql5j6vMcuW9YrlixQIB97xBjXq7pLwy8 oTS4LYw1T6N6BGr1lXJUugT0i7Yb8syoHxFPRfVbO3/MGhyGFlrLcb0OBa1aPHeQ2XaC YCZcMytYM2j2qMUaLLsNlzAOSB6anqRsQy5YgU7Qgz39zXeDkfBWHWe/rYHVKeTtfnCC PUR8aFdMZhGhXSOIS6uqTdqzyiM7BGaafBA/zaO+fM5l5zlvP4vf/7iotehx92yO0m6Z b6LQ==
X-Gm-Message-State: AD7BkJLIAFamTp326uOGTqkWtd7yPoHzvU2Sh074lOKSnhwy6wY4H6JRDyULz4/FF8UWKj+uz76ejmbuksUZwcEz
X-Received: by 10.25.158.72 with SMTP id h69mr1347361lfe.8.1457020706597; Thu, 03 Mar 2016 07:58:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.112.170.98 with HTTP; Thu, 3 Mar 2016 07:58:06 -0800 (PST)
From: Mike West <mkwst@google.com>
Date: Thu, 3 Mar 2016 16:58:06 +0100
Message-ID: <CAKXHy=dvxE5f25_xx3mKTc+XRDU_Hp=uFDy-iL-_c0s+xHGydw@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: Samuel Huang <huangs@google.com>, Mark Nottingham <mnot@mnot.net>
Content-Type: multipart/alternative; boundary=001a11401b3ca6069e052d271191
Received-SPF: pass client-ip=209.85.217.170; envelope-from=mkwst@google.com; helo=mail-lb0-f170.google.com
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: AWL=1.840, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1abVeP-0005Qm-Pv f1fa26d24275fb3a6554058c1bcb9ee2
X-Original-To: ietf-http-wg@w3.org
Subject: Proposal: Cookie Priorities
Archived-At: <http://www.w3.org/mid/CAKXHy=dvxE5f25_xx3mKTc+XRDU_Hp=uFDy-iL-_c0s+xHGydw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31164
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Way back in 2013, folks at Google put together a proposal for a `priority`
attribute for cookies with the intent of allowing servers to influence a
user agent's retention policy[1]. Chrome has been shipping this feature
since ~November 2013[2], and Google servers have been using it since then.
It would be lovely to get more feedback on the concept from other folks
outside the company, so I've just submitted a copy/pasted version of the
original proposal[3] as
https://tools.ietf.org/html/draft-west-cookie-priority-00. Apologies for
the years of delay. :/

Like many other excitingly huge companies, Google has both internal and
external servers hosted on subdomains of `google.com`, and employees hit
the user agent's cookie retention limit on a regular basis. In order to
insure that this doesn't result in lost sessions, Google marks certain
cookies as `Priority=High`, and others as `Priority=Low`. As you might
imagine, the latter are evicted more frequently than regular cookies, the
former less frequently. The document describes how Chrome takes these
priorities into account when evicting cookies from the cookie store.
Anecdotally, folks internally have found it quite helpful in terms of
retaining session state.

There's still some work to do to bring the document up to date with
proposals like
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-00 which also
aim to alter the browser's eviction policy. I'm working through the
implications of that document on this proposal in Chrome right now, and
will document whatever merger we end up considering sane once we figure out
what it it might be. :)

One of the original authors (Erik) has left Google, and I haven't been
successful at getting in contact with him: I'm hopeful that we can get him
involved again. Regardless, Samuel and I would be thrilled to hear what
this group thinks of the proposal.

Thanks!

[1]:
https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/xK4IJ1-5oJE
[2]: https://codereview.chromium.org/54303010
[3]:
https://docs.google.com/a/google.com/file/d/0B3o1IlTKoADVRllKWGlyWGxIVTg/edit

-mike