A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : Identifying origin server of HTTP Cookies
Author(s) : Y. Pettersen
Filename : draft-pettersen-cookie-origin-00.txt
Pages : 7
Date : 2010-03-01
HTTP Cookies, as originally defined by Netscape in [NETSC] andas
later updated by [RFC2109] and [RFC2965] left unaddressed the issue
of how to restrict which domains a server can set a cookie for, which
is particularly a problem for servers hosted in top level domains
have subdomains that are controlled by registries, not domain owners,
e.g. co.uk and city.state.us domains. In such situations, unless the
client uses some kind of domain black-list it is possible for a
malicious server to set cookies that the client will send to all
servers in a domain the attacker does not control, and these cookies
may adversly affect the function of servers receiving them. The
primary reason this is a problem is that the server receiving the
cookie have no way of telling which server originally set it, and is
therefore not able to reliably distinguish an invalid cookie from a
valid cookie. This document proposes a new attribute, "$Origin",
that is associated with each cookie and sent in all the client's
Cookie header in the request to the server. Servers recognizing the
attribute may then check to see if the cookie was set by a server
allowed to set cookies for the server, and if necessary ignore the
cookie.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-cookie-origin-00.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
- <ftp://ftp.ietf.org/internet-drafts/draft-pettersen-cookie-origin-00.txt>
-
_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt