HTTP State Management Mechanism (httpstate) ------------------------------------------- Charter Last Modified: 2010-04-21 Current Status: Active Working Group Chair(s): Jeff Hodges Applications Area Director(s): Pete Resnick Alexey Melnikov Peter Saint-Andre Applications Area Advisor: Peter Saint-Andre Mailing Lists: General Discussion:http-state@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/http-state Archive: http://www.ietf.org/mail-archive/web/http-state/current/maillist.html Description of Working Group: The HTTP State Management Mechanism (aka Cookies) was originally created by Netscape Communications in their informal Netscape cookie specification ("cookie_spec.html"), from which formal specifications RFC 2109 and RFC 2965 evolved. The formal specifications, however, were never fully implemented in practice; RFC 2109, in addition to cookie_spec.html, more closely resemble real-world implementations than RFC 2965, even though RFC 2965 officially obsoletes the former. Compounding the problem are undocumented features (such as HTTPOnly), and varying behaviors among real-world implementations. The working group will create a new RFC that: * obsoletes RFC 2109, * updates RFC 2965 to the extent it overlaps or voids RFC 2109, and * specifies Cookies as they are actually used in existing implementations and deployments. Where commonalities exist in the most widely used implementations, the working group will specify the common behavior. Where differences exist among the most widely used implementations, the working group will document the variations and seek consensus to reduce variation by selecting among the most widely used variations. The working group must not introduce any new syntax or new semantics not already in common use. The working group's specific deliverables are: * A standards-track document that is suitable to supersede RFC 2109 (likely based on draft-abarth-cookie) * An informational document cataloguing the differences between major implementations In doing so, the working group should consider: * cookie_spec.html - Netscape Cookie Specification http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html * RFC 2109 - HTTP State Management Mechanism (Obsoleted by RFC 2965) http://tools.ietf.org/html/rfc2109 * RFC 2964 - Use of HTTP State Management http://tools.ietf.org/html/rfc2964 * RFC 2965 - HTTP State Management Mechanism (Obsoletes RFC 2109) http://tools.ietf.org/html/rfc2965 * I-D - HTTP State Management Mechanism v2 http://tools.ietf.org/html/draft-pettersen-cookie-v2 * I-D - Cookie-based HTTP Authentication http://tools.ietf.org/html/draft-broyer-http-cookie-auth * Widely Implemented - HTTPOnly http://www.owasp.org/index.php/HTTPOnly * Browser Security Handbook - Cookies http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies * HTTP Cookies: Standards, Privacy, and Politics by David M. Kristol http://arxiv.org/PS_cache/cs/pdf/0105/0105018v1.pdf Goals and Milestones: Mar 2010 Feature-complete Internet-Draft of Cookie specification May 2010 Feature-complete test suite of Cookie specification Jun 2010 Feature-complete draft of deviation description Jul 2010 First fully conforming implementation in a major browser Sep 2010 Last Call for Cookie specification Oct 2010 Last Call for deviation description Dec 2010 Second fully conforming implementation in a major browser Jan 2011 Submit Cookie specification to IESG for consideration as a Draft Standard Jan 2011 Submit deviation description to IESG for consideration as Informationa Mar 2011 Close or recharter Internet-Drafts: Posted Revised I-D Title ------ ------- -------------------------------------------- Jan 2010 Feb 2011 HTTP State Management Mechanism Request For Comments: None to date.