| draft-ietf-httpbis-rfc6265bis-21.txt | draft-ietf-httpbis-rfc6265bis-latest.txt | |||
|---|---|---|---|---|
| HTTP Working Group S. Bingler, Ed. | HTTP Working Group S. Bingler, Ed. | |||
| Internet-Draft | Internet-Draft | |||
| Obsoletes: 6265 (if approved) M. West, Ed. | Obsoletes: 6265 (if approved) M. West, Ed. | |||
| Intended status: Standards Track Google LLC | Intended status: Standards Track Google LLC | |||
| Expires: March 28, 2026 J. Wilander, Ed. | Expires: April 9, 2026 J. Wilander, Ed. | |||
| Apple, Inc | Apple, Inc | |||
| September 24, 2025 | October 6, 2025 | |||
| Cookies: HTTP State Management Mechanism | Cookies: HTTP State Management Mechanism | |||
| draft-ietf-httpbis-rfc6265bis-21 | draft-ietf-httpbis-rfc6265bis-latest | |||
| Abstract | Abstract | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| These header fields can be used by HTTP servers to store state | These header fields can be used by HTTP servers to store state | |||
| (called cookies) at HTTP user agents, letting the servers maintain a | (called cookies) at HTTP user agents, letting the servers maintain a | |||
| stateful session over the mostly stateless HTTP protocol. Although | stateful session over the mostly stateless HTTP protocol. Although | |||
| cookies have many historical infelicities that degrade their security | cookies have many historical infelicities that degrade their security | |||
| and privacy, the Cookie and Set-Cookie header fields are widely used | and privacy, the Cookie and Set-Cookie header fields are widely used | |||
| on the Internet. This document obsoletes RFC 6265. | on the Internet. This document obsoletes RFC 6265. | |||
| skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 28, 2026. | This Internet-Draft will expire on April 9, 2026. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2025 IETF Trust and the persons identified as the | Copyright (c) 2025 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 47 ¶ | skipping to change at page 3, line 47 ¶ | |||
| 6.2. Application Programming Interfaces . . . . . . . . . . . 43 | 6.2. Application Programming Interfaces . . . . . . . . . . . 43 | |||
| 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 44 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 44 | |||
| 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 45 | 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 45 | |||
| 7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 45 | 7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 46 | 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 46 | |||
| 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 46 | 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 46 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 46 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 46 | |||
| 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 47 | 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 47 | |||
| 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 47 | 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 47 | |||
| 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 48 | 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 48 | |||
| 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 48 | 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 49 | |||
| 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 49 | 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 49 | |||
| 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 50 | 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 50 | |||
| 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 51 | 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 51 | |||
| 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 51 | 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 51 | |||
| 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 51 | 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 51 | |||
| 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 51 | 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 51 | |||
| 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 52 | 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 52 | |||
| 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 52 | 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 52 | |||
| 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 52 | 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 53 | |||
| 8.8.6. Top-level requests with "unsafe" methods . . . . . . 53 | 8.8.6. Top-level requests with "unsafe" methods . . . . . . 53 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54 | |||
| 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 54 | 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
| 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 54 | 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
| 9.3. "Cookie Attributes" Registry . . . . . . . . . . . . . . 55 | 9.3. "Cookie Attributes" Registry . . . . . . . . . . . . . . 55 | |||
| 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 55 | 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 55 | |||
| 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 55 | 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 55 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 55 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 56 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 55 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 56 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 57 | 10.2. Informative References . . . . . . . . . . . . . . . . . 57 | |||
| 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 59 | 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 59 | |||
| Appendix A. Changes from RFC 6265 . . . . . . . . . . . . . . . 59 | Appendix A. Changes from RFC 6265 . . . . . . . . . . . . . . . 59 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 60 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 60 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| Using the Set-Cookie header field, an HTTP server can pass name/value | Using the Set-Cookie header field, an HTTP server can pass name/value | |||
| skipping to change at page 12, line 47 ¶ | skipping to change at page 12, line 47 ¶ | |||
| ; digits 1 through 9 | ; digits 1 through 9 | |||
| domain-av = "Domain" BWS "=" BWS domain-value | domain-av = "Domain" BWS "=" BWS domain-value | |||
| domain-value = <subdomain> | domain-value = <subdomain> | |||
| ; see details below | ; see details below | |||
| path-av = "Path" BWS "=" BWS path-value | path-av = "Path" BWS "=" BWS path-value | |||
| path-value = *av-octet | path-value = *av-octet | |||
| secure-av = "Secure" | secure-av = "Secure" | |||
| httponly-av = "HttpOnly" | httponly-av = "HttpOnly" | |||
| samesite-av = "SameSite" BWS "=" BWS samesite-value | samesite-av = "SameSite" BWS "=" BWS samesite-value | |||
| samesite-value = "Strict" / "Lax" / "None" | samesite-value = "Strict" / "Lax" / "None" | |||
| extension-av = *av-octet | extension-av = 1*av-octet | |||
| av-octet = %x20-3A / %x3C-7E | av-octet = %x20-3A / %x3C-7E | |||
| ; any CHAR except CTLs or ";" | ; any CHAR except CTLs or ";" | |||
| Note that some of the grammatical terms above reference documents | Note that some of the grammatical terms above reference documents | |||
| that use different grammatical notations than this document (which | that use different grammatical notations than this document (which | |||
| uses ABNF from [RFC5234]). | uses ABNF from [RFC5234]). | |||
| Per the grammar above, servers MUST NOT produce nameless cookies | Per the grammar above, servers MUST NOT produce nameless cookies | |||
| (i.e.: an empty cookie-name) as such cookies may be unpredictably | (i.e.: an empty cookie-name) as such cookies may be unpredictably | |||
| serialized by UAs when sent back to the server. | serialized by UAs when sent back to the server. | |||
| skipping to change at page 13, line 24 ¶ | skipping to change at page 13, line 24 ¶ | |||
| To maximize compatibility with user agents, servers that wish to | To maximize compatibility with user agents, servers that wish to | |||
| store arbitrary data in a cookie-value SHOULD encode that data, for | store arbitrary data in a cookie-value SHOULD encode that data, for | |||
| example, using Base64 [RFC4648]. | example, using Base64 [RFC4648]. | |||
| Per the grammar above, the cookie-value MAY be wrapped in DQUOTE | Per the grammar above, the cookie-value MAY be wrapped in DQUOTE | |||
| characters. Note that in this case, the initial and trailing DQUOTE | characters. Note that in this case, the initial and trailing DQUOTE | |||
| characters are not stripped. They are part of the cookie-value, and | characters are not stripped. They are part of the cookie-value, and | |||
| will be included in Cookie header fields sent to the server. | will be included in Cookie header fields sent to the server. | |||
| Per the grammar above, cookie-avs MUST NOT contain leading or | Per the grammar above, extension-av MUST NOT contain leading or | |||
| trailing WSP characters as they will be interpreted as BWS and | trailing WSP characters as they will be interpreted as BWS and | |||
| removed. | removed. | |||
| The domain-value is a subdomain as defined by Section 3.5 of | The domain-value is a subdomain as defined by Section 3.5 of | |||
| [RFC1034], and as enhanced by Section 2.1 of [RFC1123]. Thus, | [RFC1034], and as enhanced by Section 2.1 of [RFC1123]. Thus, | |||
| domain-value is a string of [USASCII] characters, such as an | domain-value is a string of [USASCII] characters, such as an | |||
| "A-label" as defined in Section 2.3.2.1 of [RFC5890]. | "A-label" as defined in Section 2.3.2.1 of [RFC5890]. | |||
| The portions of the set-cookie-string produced by the cookie-av term | The portions of the set-cookie-string produced by the cookie-av term | |||
| are known as attributes. To maximize compatibility with user agents, | are known as attributes. To maximize compatibility with user agents, | |||
| skipping to change at page 47, line 22 ¶ | skipping to change at page 47, line 22 ¶ | |||
| session identifiers in cookies, developers often create session | session identifiers in cookies, developers often create session | |||
| fixation vulnerabilities. | fixation vulnerabilities. | |||
| Transport-layer encryption, such as that employed in HTTPS, offers a | Transport-layer encryption, such as that employed in HTTPS, offers a | |||
| significant layer of defense against network attacks on cookies. | significant layer of defense against network attacks on cookies. | |||
| However, it is insufficient in fully preventing a networking attacker | However, it is insufficient in fully preventing a networking attacker | |||
| from obtaining or altering a victim's cookies because of inherent | from obtaining or altering a victim's cookies because of inherent | |||
| vulnerabilities in the cookie protocol itself (see "Weak | vulnerabilities in the cookie protocol itself (see "Weak | |||
| Confidentiality" and "Weak Integrity", below). In addition, by | Confidentiality" and "Weak Integrity", below). In addition, by | |||
| default, cookies do not provide confidentiality or integrity from | default, cookies do not provide confidentiality or integrity from | |||
| network attackers, even when used in conjunction with HTTPS. | network attackers, even when used in conjunction with HTTPS. This | |||
| means that a cookie needs to explicitly specify any protective | ||||
| attributes. For example, the cookie: | ||||
| "Set-Cookie: a=b" | ||||
| doesn't specify the Secure attribute and will therefore be accessible | ||||
| on both secure and insecure connections, regardless of the original | ||||
| connection type it was created on. This behavior could allow an | ||||
| attacker to read or modify the cookie. | ||||
| 8.2. Ambient Authority | 8.2. Ambient Authority | |||
| A server that uses cookies to authenticate users can suffer security | A server that uses cookies to authenticate users can suffer security | |||
| vulnerabilities because some user agents let remote parties issue | vulnerabilities because some user agents let remote parties issue | |||
| HTTP requests from the user agent (e.g., via HTTP redirects or HTML | HTTP requests from the user agent (e.g., via HTTP redirects or HTML | |||
| forms). When issuing those requests, user agents attach cookies even | forms). When issuing those requests, user agents attach cookies even | |||
| if the remote party does not know the contents of the cookies, | if the remote party does not know the contents of the cookies, | |||
| potentially letting the remote party exercise authority at an unwary | potentially letting the remote party exercise authority at an unwary | |||
| server. | server. | |||
| End of changes. 10 change blocks. | ||||
| 11 lines changed or deleted | 20 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||