draft-ietf-httpbis-rfc6265bis-15.txt   draft-ietf-httpbis-rfc6265bis-latest.txt 
HTTP Working Group S. Bingler, Ed. HTTP Working Group S. Bingler, Ed.
Internet-Draft M. West, Ed. Internet-Draft M. West, Ed.
Obsoletes: 6265 (if approved) Google LLC Obsoletes: 6265 (if approved) Google LLC
Intended status: Standards Track J. Wilander, Ed. Intended status: Standards Track J. Wilander, Ed.
Expires: January 22, 2025 Apple, Inc Expires: April 1, 2025 Apple, Inc
July 21, 2024 September 28, 2024
Cookies: HTTP State Management Mechanism Cookies: HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-15 draft-ietf-httpbis-rfc6265bis-latest
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 6265. on the Internet. This document obsoletes RFC 6265.
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 22, 2025. This Internet-Draft will expire on April 1, 2025.
Copyright Notice Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 7 skipping to change at page 3, line 7
3.2. Which Requirements to Implement . . . . . . . . . . . . . 9 3.2. Which Requirements to Implement . . . . . . . . . . . . . 9
3.2.1. Cookie Producing Implementations . . . . . . . . . . 10 3.2.1. Cookie Producing Implementations . . . . . . . . . . 10
3.2.2. Cookie Consuming Implementations . . . . . . . . . . 10 3.2.2. Cookie Consuming Implementations . . . . . . . . . . 10
4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 11 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 11
4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 11 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 11 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 13 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 13
4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 16 4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 16
4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 18 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 18
4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 18 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 19
5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 19 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 19
5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 19 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 19
5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 19 5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 19
5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 21 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 21
5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 22 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 22
5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 22 5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 22
5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 23 5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 23
5.2.1. Document-based requests . . . . . . . . . . . . . . . 23 5.2.1. Document-based requests . . . . . . . . . . . . . . . 23
5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 24 5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 24
5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 25 5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 25
5.4. Cookie Name Prefixes . . . . . . . . . . . . . . . . . . 25 5.4. Cookie Name Prefixes . . . . . . . . . . . . . . . . . . 26
5.5. Cookie Lifetime Limits . . . . . . . . . . . . . . . . . 27 5.5. Cookie Lifetime Limits . . . . . . . . . . . . . . . . . 27
5.6. The Set-Cookie Header Field . . . . . . . . . . . . . . . 27 5.6. The Set-Cookie Header Field . . . . . . . . . . . . . . . 27
5.6.1. The Expires Attribute . . . . . . . . . . . . . . . . 30 5.6.1. The Expires Attribute . . . . . . . . . . . . . . . . 30
5.6.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 30 5.6.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 30
5.6.3. The Domain Attribute . . . . . . . . . . . . . . . . 31 5.6.3. The Domain Attribute . . . . . . . . . . . . . . . . 31
5.6.4. The Path Attribute . . . . . . . . . . . . . . . . . 31 5.6.4. The Path Attribute . . . . . . . . . . . . . . . . . 31
5.6.5. The Secure Attribute . . . . . . . . . . . . . . . . 32 5.6.5. The Secure Attribute . . . . . . . . . . . . . . . . 32
5.6.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 32 5.6.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 32
5.6.7. The SameSite Attribute . . . . . . . . . . . . . . . 32 5.6.7. The SameSite Attribute . . . . . . . . . . . . . . . 32
5.7. Storage Model . . . . . . . . . . . . . . . . . . . . . . 34 5.7. Storage Model . . . . . . . . . . . . . . . . . . . . . . 34
5.8. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 39 5.8. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 40
5.8.1. The Cookie Header Field . . . . . . . . . . . . . . . 40 5.8.1. The Cookie Header Field . . . . . . . . . . . . . . . 40
5.8.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 40 5.8.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 40
5.8.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 41 5.8.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 41
6. Implementation Considerations . . . . . . . . . . . . . . . . 42 6. Implementation Considerations . . . . . . . . . . . . . . . . 43
6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 42 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.2. Application Programming Interfaces . . . . . . . . . . . 43 6.2. Application Programming Interfaces . . . . . . . . . . . 43
6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 43 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 44
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 44 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 44
7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 45 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 45
7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 45 7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 46
7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 46 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 46
7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 46 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 46
8. Security Considerations . . . . . . . . . . . . . . . . . . . 46 8. Security Considerations . . . . . . . . . . . . . . . . . . . 47
8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 46 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 47
8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 47 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 47
8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 47 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 48
8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 48 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 49
8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 49 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 49
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 49 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 50
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 50 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 51
8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 50 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 51
8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 50 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 51
8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 51 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 51
8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 52 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 52
8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 52 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 52
8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 52 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 53
8.8.6. Top-level requests with "unsafe" methods . . . . . . 53 8.8.6. Top-level requests with "unsafe" methods . . . . . . 53
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 54 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 54
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 54 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 54
9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 54 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 55
9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 55 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 55
9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 55 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 55
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 55 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 55
10.1. Normative References . . . . . . . . . . . . . . . . . . 55 10.1. Normative References . . . . . . . . . . . . . . . . . . 56
10.2. Informative References . . . . . . . . . . . . . . . . . 57 10.2. Informative References . . . . . . . . . . . . . . . . . 57
10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 59 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Appendix A. Changes from RFC 6265 . . . . . . . . . . . . . . . 59 Appendix A. Changes from RFC 6265 . . . . . . . . . . . . . . . 59
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 60 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 60
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 61
1. Introduction 1. Introduction
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
Using the Set-Cookie header field, an HTTP server can pass name/value Using the Set-Cookie header field, an HTTP server can pass name/value
pairs and associated metadata (called cookies) to a user agent. When pairs and associated metadata (called cookies) to a user agent. When
the user agent makes subsequent requests to the server, the user the user agent makes subsequent requests to the server, the user
agent uses the metadata and other information to determine whether to agent uses the metadata and other information to determine whether to
return the name/value pairs in the Cookie header field. return the name/value pairs in the Cookie header field.
skipping to change at page 12, line 8 skipping to change at page 12, line 8
4.1.1. Syntax 4.1.1. Syntax
Informally, the Set-Cookie response header field contains a cookie, Informally, the Set-Cookie response header field contains a cookie,
which begins with a name-value-pair, followed by zero or more which begins with a name-value-pair, followed by zero or more
attribute-value pairs. Servers SHOULD NOT send Set-Cookie header attribute-value pairs. Servers SHOULD NOT send Set-Cookie header
fields that fail to conform to the following grammar: fields that fail to conform to the following grammar:
set-cookie = set-cookie-string set-cookie = set-cookie-string
set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av ) set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av )
cookie-pair = cookie-name BWS "=" BWS cookie-value cookie-pair = cookie-name BWS "=" BWS cookie-value
cookie-name = 1*cookie-octet cookie-name = token
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs, ; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon, ; whitespace, DQUOTE, comma, semicolon,
; and backslash ; and backslash
token = <token, defined in [RFC7230], Section 3.2.6>
cookie-av = expires-av / max-age-av / domain-av / cookie-av = expires-av / max-age-av / domain-av /
path-av / secure-av / httponly-av / path-av / secure-av / httponly-av /
samesite-av / extension-av samesite-av / extension-av
expires-av = "Expires" BWS "=" BWS sane-cookie-date expires-av = "Expires" BWS "=" BWS sane-cookie-date
sane-cookie-date = sane-cookie-date =
<IMF-fixdate, defined in [HTTP], Section 5.6.7> <IMF-fixdate, defined in [HTTP], Section 5.6.7>
max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT
non-zero-digit = %x31-39 non-zero-digit = %x31-39
; digits 1 through 9 ; digits 1 through 9
skipping to change at page 27, line 47 skipping to change at page 28, line 6
When a user agent receives a Set-Cookie header field in an HTTP When a user agent receives a Set-Cookie header field in an HTTP
response, the user agent MAY ignore the Set-Cookie header field in response, the user agent MAY ignore the Set-Cookie header field in
its entirety (see Section 5.3). its entirety (see Section 5.3).
If the user agent does not ignore the Set-Cookie header field in its If the user agent does not ignore the Set-Cookie header field in its
entirety, the user agent MUST parse the field-value of the Set-Cookie entirety, the user agent MUST parse the field-value of the Set-Cookie
header field as a set-cookie-string (defined below). header field as a set-cookie-string (defined below).
NOTE: The algorithm below is more permissive than the grammar in NOTE: The algorithm below is more permissive than the grammar in
Section 4.1. For example, the algorithm strips leading and trailing Section 4.1. For example, the algorithm allows cookie-name to be
comprised of cookie-octets instead of being a token as specified in
Section 4.1 and the algorithm accommodates some characters that are
not cookie-octets according to the grammar in Section 4.1. In
addition, the algorithm below also strips leading and trailing
whitespace from the cookie name and value (but maintains internal whitespace from the cookie name and value (but maintains internal
whitespace), whereas the grammar in Section 4.1 forbids whitespace in whitespace), whereas the grammar in Section 4.1 forbids whitespace in
these positions. In addition, the algorithm below accommodates some these positions. User agents use this algorithm so as to
characters that are not cookie-octets according to the grammar in interoperate with servers that do not follow the recommendations in
Section 4.1. User agents use this algorithm so as to interoperate Section 4.
with servers that do not follow the recommendations in Section 4.
NOTE: As set-cookie-string may originate from a non-HTTP API, it is NOTE: As set-cookie-string may originate from a non-HTTP API, it is
not guaranteed to be free of CTL characters, so this algorithm not guaranteed to be free of CTL characters, so this algorithm
handles them explicitly. Horizontal tab (%x09) is excluded from the handles them explicitly. Horizontal tab (%x09) is excluded from the
CTL characters that lead to set-cookie-string rejection, as it is CTL characters that lead to set-cookie-string rejection, as it is
considered whitespace, which is handled separately. considered whitespace, which is handled separately.
NOTE: The set-cookie-string may contain octet sequences that appear NOTE: The set-cookie-string may contain octet sequences that appear
percent-encoded as per Section 2.1 of [RFC3986]. However, a user percent-encoded as per Section 2.1 of [RFC3986]. However, a user
agent MUST NOT decode these sequences and instead parse the agent MUST NOT decode these sequences and instead parse the
skipping to change at page 57, line 5 skipping to change at page 57, line 23
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[SAMESITE] [SAMESITE]
WHATWG, "HTML - Living Standard", January 2021, WHATWG, "HTML - Living Standard", January 2021,
<https://html.spec.whatwg.org/#same-site>. <https://html.spec.whatwg.org/#same-site>.
[SERVICE-WORKERS]
Russell, A., Song, J., and J. Archibald, "Service
Workers", n.d., <http://www.w3.org/TR/service-workers/>.
[USASCII] American National Standards Institute, "Coded Character [USASCII] American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986. Interchange", ANSI X3.4, 1986.
10.2. Informative References 10.2. Informative References
[Aggarwal2010] [Aggarwal2010]
Aggarwal, G., Burzstein, E., Jackson, C., and D. Boneh, Aggarwal, G., Burzstein, E., Jackson, C., and D. Boneh,
"An Analysis of Private Browsing Modes in Modern "An Analysis of Private Browsing Modes in Modern
Browsers", 2010, Browsers", 2010,
skipping to change at page 58, line 50 skipping to change at page 59, line 20
Options", RFC 7034, DOI 10.17487/RFC7034, October 2013, Options", RFC 7034, DOI 10.17487/RFC7034, October 2013,
<https://www.rfc-editor.org/info/rfc7034>. <https://www.rfc-editor.org/info/rfc7034>.
[RFC9113] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113, [RFC9113] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113,
DOI 10.17487/RFC9113, June 2022, DOI 10.17487/RFC9113, June 2022,
<https://www.rfc-editor.org/info/rfc9113>. <https://www.rfc-editor.org/info/rfc9113>.
[RFC9114] Bishop, M., Ed., "HTTP/3", RFC 9114, DOI 10.17487/RFC9114, [RFC9114] Bishop, M., Ed., "HTTP/3", RFC 9114, DOI 10.17487/RFC9114,
June 2022, <https://www.rfc-editor.org/info/rfc9114>. June 2022, <https://www.rfc-editor.org/info/rfc9114>.
[SERVICE-WORKERS]
Archibald, J. and M. Kruisselbrink, "Service Workers",
n.d., <https://www.w3.org/TR/service-workers/>.
[UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility [UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility
Processing", UNICODE Unicode Technical Standards # 46, Processing", UNICODE Unicode Technical Standards # 46,
June 2016, <http://unicode.org/reports/tr46/>. June 2016, <http://unicode.org/reports/tr46/>.
10.3. URIs 10.3. URIs
[1] https://www.iana.org/assignments/cookie-attribute-names [1] https://www.iana.org/assignments/cookie-attribute-names
Appendix A. Changes from RFC 6265 Appendix A. Changes from RFC 6265
 End of changes. 23 change blocks. 
34 lines changed or deleted 38 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/