I-D Action:draft-pettersen-cookie-origin-01.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title           : Identifying origin server of HTTP Cookies
	Author(s)       : Y. Pettersen
	Filename        : draft-pettersen-cookie-origin-01.txt
	Pages           : 7
	Date            : 2010-03-07

HTTP Cookies, as originally defined by Netscape in [NETSC] and as
later updated by [RFC2109] and [RFC2965] did not address the issue of
how to restrict which domains a server is allowed to set a cookie
for: This is particularly a problem for servers hosted in top level
domains having subdomains that are controlled by registries and not
by domain owners, e.g. co.uk and city.state.us domains.  In such
situations, unless the client uses some kind of domain black-list, it
is possible for a malicious server to set cookies so they are sent to
all servers in a domain the attacker does not control.  These cookies
may adversly affect the function of servers receiving them.  The
primary reason this is a problem is that the server receiving the
cookie has no way of telling which server originally set it, and is
therefore not able to reliably distinguish an invalid cookie from a
valid cookie.

This document proposes a new attribute, "$Origin", that is associated
with each cookie and sent in all client cookie headers in the
requests sent to the server.  Servers recognizing the attribute may
then check to see if the cookie was set by a server which is allowed
to set cookies for the server, and if necessary ignore the cookie.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-cookie-origin-01.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
<ftp://ftp.ietf.org/internet-drafts/draft-pettersen-cookie-origin-01.txt>
_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux