I-D Action:draft-pettersen-cookie-origin-02.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title           : Identifying origin server of HTTP Cookies
	Author(s)       : Y. Pettersen
	Filename        : draft-pettersen-cookie-origin-02.txt
	Pages           : 8
	Date            : 2011-03-14

HTTP Cookies, as originally defined by Netscape in [NETSC] and as
later updated by [RFC2109] , [RFC2965], and
[I-D.ietf-httpstate-cookie] did not address the issue of how to
restrict for which domains a server is allowed to set a cookie.  This
is particularly a problem for servers hosted in top-level domains
having subdomains that are controlled by registries and not by domain
owners, e.g., "co.uk" and "city.state.us" domains.  In such
situations, unless the client uses some kind of domain black-list, it
is possible for a malicious server to set cookies, so they are sent
to all servers in a domain the attacker does not control.  These
cookies may adveresly affect the function of servers receiving them.
The primary reason this is a problem is that the server receiving the
cookie has no way of telling which server originally set it;
therefore it is not able to distinguish reliably an invalid cookie
from a valid one.

This document proposes a new attribute, "$Origin", that is associated
with each cookie and sent in all client cookie headers in the
requests sent to the server.  Servers recognizing the attribute may
then check to see if the cookie was set by a server, which is allowed
to set cookies for the server and, if necessary, ignore the cookie.

This document updates RFC 2109 and RFC 2965.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-pettersen-cookie-origin-02.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
<ftp://ftp.ietf.org/internet-drafts/draft-pettersen-cookie-origin-02.txt>
_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux