cookie
Click on the red underlined text to get to the source
... HTTP default, 80. The
request-port of a cookie is the request-port of the request in which
a Set-Cookie2 ...
...
Because it was used in Netscape's original implementation of state
management, we will use the term cookie to refer to the state
information that passes between an origin server and user agent ...
...
Neither clients nor servers are required to support cookies. A
server MAY refuse to provide content to a client that does not return
...
... state management headers, Set-Cookie2 and Cookie, have common
syntactic properties involving attribute-value pairs. The following
grammar uses the notation, and tokens ...
...
A user agent returns a Cookie request header (see below) to the
origin server if it chooses to continue a session ...
... cookies ...
... cookie ...
... set-cookie-av ...
... header comprises the token Set-
Cookie2:, followed by a comma-separated list of one or more cookies.
Each cookie begins with a NAME=VALUE pair, followed by zero or more
...
... Cookie2:, followed by a comma-separated list of one or more cookies.
Each cookie begins with a NAME=VALUE pair, followed by zero or more
semi-colon-separated attribute-value pairs. The syntax for
attribute-value pairs was shown earlier. The specific attributes and
...
... the semantics of their values follows. The NAME=VALUE attribute-
value pair MUST come first in each cookie. The others, if present,
can occur in any order. If an attribute appears more than once in a
cookie ...
... cookie. The others, if present,
can occur in any order. If an attribute appears more than once in a
cookie, the client SHALL use only the value associated with the first
appearance of the attribute; a client ...
...
The NAME of a cookie MAY be the same as one of the attributes in this
specification. However, because the cookie's NAME must come first in
...
... The NAME of a cookie MAY be the same as one of the attributes in this
specification. However, because the cookie's NAME must come first in
a Set-Cookie2 response header ...
... REQUIRED. The name of the state information ("cookie") is NAME,
and its value is VALUE. NAMEs that begin with $ are reserved and
MUST NOT be used by applications. ...
... OPTIONAL. Because cookies can be used to derive or store private
information about a user, the value of the Comment attribute
allows an origin server to document how it intends to use the
...
... information about a user, the value of the Comment attribute
allows an origin server to document how it intends to use the
cookie. The user can inspect the information to decide whether to
initiate or continue a session with this cookie ...
... cookie. The user can inspect the information to decide whether to
initiate or continue a session with this cookie. Characters in
value MUST be in UTF-8 encoding. [RFC2279 ...
... OPTIONAL. Because cookies can be used to derive or store private
information about a user, the CommentURL attribute allows an
origin server to document how it intends to use the cookie ...
... cookies can be used to derive or store private
information about a user, the CommentURL attribute allows an
origin server to document how it intends to use the cookie. The
user can inspect the information identified by the URL to decide
...
... OPTIONAL. The Discard attribute instructs the user agent to
discard the cookie unconditionally when the user agent terminates. ...
... Domain attribute specifies the domain
for which the cookie is valid. If an explicitly specified value
does not start ...
... OPTIONAL. The value of the Max-Age attribute is delta-seconds,
the lifetime of the cookie in seconds, a decimal non-negative
integer. To handle cached cookies ...
... cookie in seconds, a decimal non-negative
integer. To handle cached cookies correctly, a client SHOULD
calculate the age of the cookie ...
... cookies correctly, a client SHOULD
calculate the age of the cookie according to the age calculation
rules in the HTTP/1.1 specification [RFC2616 ...
... greater than delta-seconds seconds, the client SHOULD discard the
cookie. A value of zero means the cookie SHOULD be discarded
immediately. ...
... client SHOULD discard the
cookie. A value of zero means the cookie SHOULD be discarded
immediately. ...
... Path attribute specifies the subset of
URLs on the origin server to which this cookie applies. ...
... OPTIONAL. The Port attribute restricts the port to which a cookie
may be returned in a Cookie request header ...
... port to which a cookie
may be returned in a Cookie request header. Note that the syntax
REQUIREs quotes around the OPTIONAL portlist even if there is only
...
... OPTIONAL. The Secure attribute (with no value) directs the user
agent to use only (unspecified) secure means to contact the origin
server whenever it sends back this cookie, to protect the
confidentially and authenticity of the information in the cookie. ...
... server whenever it sends back this cookie, to protect the
confidentially and authenticity of the information in the cookie. ...
... user agent (possibly with user interaction) MAY determine what
level of security it considers appropriate for "secure" cookies.
The Secure attribute should be considered security advice from the
...
... user agent, indicating that it is in the session's
interest to protect the cookie contents. When it sends a "secure"
cookie back to a server, the user agent ...
... interest to protect the cookie contents. When it sends a "secure"
cookie back to a server, the user agent SHOULD use no less than
the same level of security ...
... user agent SHOULD use no less than
the same level of security as was used when it received the cookie
from the server. ...
... version of the state management specification to
which the cookie conforms. For this specification, Version=1
applies. ...
... The default behavior is to discard the cookie when the user
agent exits. ...
... Rejecting Cookies ...
... privacy
violations, a user agent rejects a cookie according to rules below.
The goal of the rules is to try to limit the set of servers for which
a cookie ...
... cookie according to rules below.
The goal of the rules is to try to limit the set of servers for which
a cookie is valid, based on the values of the Path, Domain, and Port ...
... Cookie Management ...
... Set-Cookie2
response header whose NAME is the same as that of a cookie it has
previously stored, the new cookie supersedes the old when: the old
...
... header whose NAME is the same as that of a cookie it has
previously stored, the new cookie supersedes the old when: the old
and new Domain attribute values compare equal, using a case-
...
... Path attribute
values string-compare equal (case-sensitive). However, if the Set-
Cookie2 has a value for Max-Age of zero, the (old and new) cookie is
discarded. Otherwise a cookie persists (resources permitting) until
...
... Cookie2 has a value for Max-Age of zero, the (old and new) cookie is
discarded. Otherwise a cookie persists (resources permitting) until
whichever happens first, then gets discarded: its Max-Age lifetime is
...
...
Because user agents have finite space in which to store cookies, they
MAY also discard older cookies to make space for newer ones, using,
...
... user agents have finite space in which to store cookies, they
MAY also discard older cookies to make space for newer ones, using,
for example, a least-recently-used algorithm, along with constraints ...
... algorithm, along with constraints
on the maximum number of cookies that each origin server may set.
...
... user agent SHOULD store that information in a human-readable form
with the cookie and SHOULD display the comment text as part of a
cookie inspection user interface ...
... with the cookie and SHOULD display the comment text as part of a
cookie inspection user interface.
...
... user agent SHOULD store that information in a human-readable form
with the cookie, or, preferably, SHOULD allow the user to follow the
http_URL link ...
...
The cookie inspection user interface may include a facility whereby a
user can decide, at the time the user agent ...
... Set-Cookie2
response header, whether or not to accept the cookie. A potentially
confusing situation could arise if the following sequence occurs:
...
... the user agent receives a cookie that contains a CommentURL
attribute; ...
... the user agent's cookie inspection interface is configured so
that it presents a dialog to the user before the user agent ...
... that it presents a dialog to the user before the user agent
accepts the cookie; ...
...
The user agent SHOULD NOT send any cookies in this context. The user
agent MAY discard any cookie ...
... cookies in this context. The user
agent MAY discard any cookie it receives in this context that the
user has not, through some user agent ...
...
User agents SHOULD allow the user to control cookie destruction, but
they MUST NOT extend the cookie's lifetime ...
... User agents SHOULD allow the user to control cookie destruction, but
they MUST NOT extend the cookie's lifetime beyond that controlled by
the Discard and Max-Age attributes. An infrequently-used cookie ...
... cookie's lifetime beyond that controlled by
the Discard and Max-Age attributes. An infrequently-used cookie may
function as a "preferences file" for network applications, and a user
...
... function as a "preferences file" for network applications, and a user
may wish to keep it even if it is the least-recently-used cookie. One
possible implementation would be an interface that allows the
...
... possible implementation would be an interface that allows the
permanent storage of a cookie through a checkbox (or, conversely, its
immediate destruction).
...
... Privacy considerations dictate that the user have considerable
control over cookie management. The PRIVACY section contains more
...
... Sending Cookies to the Origin Server ...
... When it sends a request
to an origin server, the user agent includes a Cookie request header
if it has stored cookies ...
... the cookie's age. ...
... cookie-value ...
... Set-Cookie2 response header.
Otherwise the value for cookie-version is 0. The value for the path
attribute MUST be the value from the Path attribute ...
... Set-Cookie2 response header. Otherwise
the attribute SHOULD be omitted from the Cookie request header. The
value for the domain ...
...
Note that there is neither a Comment nor a CommentURL attribute in
the Cookie request header corresponding to the ones in the Set-
Cookie2 response header ...
... The user agent applies the following rules to choose applicable
cookie-values to send in Cookie request headers from among all the
...
... user agent applies the following rules to choose applicable
cookie-values to send in Cookie request headers from among all the
cookies ...
... If the attribute is present but has no value (e.g., Port), the
cookie MUST only be sent to the request-port it was received
from. ...
... If the attribute has a port-list, the cookie MUST only be
returned if the new request-port is one of those listed in
...
... Cookies that have expired should have been discarded and thus are
not forwarded to an origin server. ...
... If multiple cookies satisfy the criteria above, they are ordered in
the Cookie header such that those with more specific Path attributes
...
...
Note: For backward compatibility, the separator in the Cookie header
is semi-colon (;) everywhere. A server SHOULD also accept comma (,)
...
... header
is semi-colon (;) everywhere. A server SHOULD also accept comma (,)
as the separator between cookie-values for future compatibility.
...
... clients and servers
that understand different versions of the cookie specification. When
the client sends one or more cookies ...
... cookie specification. When
the client sends one or more cookies to an origin server, if at least
one of those cookies contains a $Version ...
... client sends one or more cookies to an origin server, if at least
one of those cookies contains a $Version attribute whose value is
different from the version ...
... cookie-version is the highest version of cookie
specification (currently 1) that the client understands. The client ...
... Sending Cookies in Unverifiable Transactions ...
... transaction, a user agent MUST disable
all cookie processing (i.e., MUST NOT send cookies, and MUST NOT
accept any received cookies ...
... user agent MUST disable
all cookie processing (i.e., MUST NOT send cookies, and MUST NOT
accept any received cookies) if the transaction ...
... cookie processing (i.e., MUST NOT send cookies, and MUST NOT
accept any received cookies) if the transaction is to a third-party
...
... request-URI path-matches the
Path attribute of the cookie. When it receives a Cookie header, the
...
... Path attribute of the cookie. When it receives a Cookie header, the
origin server SHOULD treat cookies ...
... Cookie header, the
origin server SHOULD treat cookies with NAMEs whose prefix is $
specially, as an attribute for the cookie ...
... URL and
document content is to facilitate the scaling that caching permits.
To support cookies, a caching proxy MUST obey these rules already in
the HTTP ...
... The user agent makes a series of requests on the origin server, after
each of which it receives a new cookie. All the cookies have the
same Path attribute ...
... user agent makes a series of requests on the origin server, after
each of which it receives a new cookie. All the cookies have the
same Path attribute and (default) domain ...
... request-URIs
all path-match /acme, the Path attribute of each cookie, each request
contains all the cookies received so far.
...
... Part_Number="Rocket_Launcher_0001"; $Path="/acme"
Note that the NAME=VALUE pair for the cookie with the more specific
Path attribute, /acme/ammo, comes before the one with the less
...
... Path attribute, /acme/ammo, comes before the one with the less
specific Path attribute, /acme. Further note that the same cookie
name appears more than once.
...
... prefix
of the request URL, /acme/parts/, so the cookie does not get
forwarded to the server.
...
... Practical user agent implementations have limits on the number and
size of cookies that they can store. In general, user agents' cookie
...
... size of cookies that they can store. In general, user agents' cookie
support should have no fixed limits. They should strive to store as
many frequently-used cookies ...
... cookie
support should have no fixed limits. They should strive to store as
many frequently-used cookies as possible. Furthermore, general-use
user agents SHOULD provide each of the following minimum capabilities
...
... at least 300 cookies ...
... at least 4096 bytes per cookie (as measured by the characters
that comprise the cookie non-terminal ...
... at least 4096 bytes per cookie (as measured by the characters
that comprise the cookie non-terminal in the syntax description
of the Set-Cookie2 ...
... User agents created for specific purposes or for limited-capacity
devices SHOULD provide at least 20 cookies of 4096 bytes, to ensure
that the user can interact with a session-based origin server.
...
... header MUST be retained in
its entirety. If for some reason there is inadequate space to store
the cookie, it MUST be discarded, not truncated.
...
...
Applications should use as few and as small cookies as possible, and
they should cope gracefully with the loss of a cookie.
...
... Applications should use as few and as small cookies as possible, and
they should cope gracefully with the loss of a cookie.
...
... User agents MAY choose to set an
upper bound on the number of cookies to be stored from a given host
or domain name ...
... host
or domain name or on the size of the cookie information. Otherwise a
malicious server could attempt to flood a user agent ...
... flood a user agent with many
cookies, or large cookies, on successive responses, which would force
out cookies ...
... user agent with many
cookies, or large cookies, on successive responses, which would force
out cookies the user agent ...
... cookies, or large cookies, on successive responses, which would force
out cookies the user agent had received from other servers. However,
the minima specified above SHOULD still be supported.
...
...
Informed consent should guide the design of systems that use cookies.
A user should be able to find out how a web site plans to use
...
... A user should be able to find out how a web site plans to use
information in a cookie and should be able to choose whether or not
those policies are acceptable. Both the user agent and the origin
...
... to completely disable the sending and saving of cookies. ...
... to notify the user when the user agent is about to send a
cookie to the origin server, to offer the option not to begin a
session. ...
... to let the user decide which cookies, if any, should be saved
when the user concludes a window or user agent session ...
... information. It SHOULD be possible to configure a user agent never
to send Cookie headers, in which case it can never sustain state with
...
... NOTE: User agents should probably be cautious about using files to
store cookies long-term. If a user runs more than one instance of
the user agent, the cookies ...
... cookies long-term. If a user runs more than one instance of
the user agent, the cookies could be commingled or otherwise
corrupted.
...
...
An origin server SHOULD promote informed consent by adding CommentURL
or Comment information to the cookies it sends. CommentURL is
preferred because of the opportunity to provide richer information in
a multiplicity of languages ...
... header is a database key, an
origin server should be vigilant to prevent a bad Cookie value from
causing failures.
...
... A user agent in a shared user environment poses a further risk.
Using a cookie inspection interface, User B could examine the
contents of cookies ...
... cookie inspection interface, User B could examine the
contents of cookies that were saved when User A used the machine.
...
... concerning unverifiable transactions, are meant to reduce the ways
that cookies can "leak" to the "wrong" site. The intent is to
restrict cookies to one host ...
... that cookies can "leak" to the "wrong" site. The intent is to
restrict cookies to one host, or a closely related set of hosts.
...
... Domain. We consider it acceptable for hosts host1.foo.com and
host2.foo.com to share cookies, but not a.com and b.com.
...
...
Similarly, a server can set a Path only for cookies that are related
to the request-URI.
...
... 1. User agent makes request to victim.cracker.edu, gets back
cookie session_id="1234" and sets the default domain
...
...
2. User agent makes request to spoof.cracker.edu, gets back cookie
session-id="1111", with Domain ...
...
The server at victim.cracker.edu should detect that the second
cookie was not one it originated by noticing that the Domain
attribute is not for itself and ignore it.
...
... Unexpected Cookie Sharing ...
... Embedded or inlined objects may cause particularly severe privacy
problems if they can be used to share cookies between disparate
hosts. For example, a malicious server could embed cookie ...
... cookies between disparate
hosts. For example, a malicious server could embed cookie
information for host a.com in a URI ...
... Cookies For Account Information ...
...
While it is common practice to use them this way, cookies are not
designed or intended to be used to hold authentication information,
...
... authentication information,
such as account names and passwords. Unless such cookies are
exchanged over an encrypted path, the account information they
...
...
While both session IDs and cookies can provide a way to sustain
stateful sessions, their intended purpose is different, and,
...
... user initiates session IDs to allow servers to track progress through
them, or to distinguish multiple users on a shared machine. Cookies
are server-initiated, so the cookie mechanism described here gives
...
... them, or to distinguish multiple users on a shared machine. Cookies
are server-initiated, so the cookie mechanism described here gives
users control over something that would otherwise take place without
the users' awareness. Furthermore, cookies ...
... cookie mechanism described here gives
users control over something that would otherwise take place without
the users' awareness. Furthermore, cookies convey rich, server-
selected information, whereas session IDs comprise user-selected,
...
...
Existing cookie implementations, based on the Netscape specification,
use the Set-Cookie (not Set-Cookie2 ...
... Existing cookie implementations, based on the Netscape specification,
use the Set-Cookie (not Set-Cookie2) header. User agents ...
... header. User agents that
receive in the same response both a Set-Cookie and Set-Cookie2
response header ...
... Set-Cookie2
response header for the same cookie MUST discard the Set-Cookie
information and use only the Set-Cookie2 ...
... response header for the same cookie MUST discard the Set-Cookie
information and use only the Set-Cookie2 information. Furthermore, a
...
... header,
that the sending server complies with this document and will
understand Cookie request headers that also follow this
specification.
...
...
New cookies MUST replace both equivalent old- and new-style cookies.
That is, if a user agent ...
...
New cookies MUST replace both equivalent old- and new-style cookies.
That is, if a user agent that follows both this specification and
...
... Domain and Path attributes match (per
the Cookie Management section) a Netscape-style cookie, the
...
... the Cookie Management section) a Netscape-style cookie, the
Netscape-style cookie MUST be discarded, and the user agent ...
... Management section) a Netscape-style cookie, the
Netscape-style cookie MUST be discarded, and the user agent MUST
retain only the cookie ...
... cookie MUST be discarded, and the user agent MUST
retain only the cookie adhering to this specification.
...
... the Set-Cookie2 response header and will receive and send cookies
according to the older specification.
...
... A user agent that supports both this specification and Netscape-style
cookies SHOULD send a Cookie request header that follows the older
...
... user agent that supports both this specification and Netscape-style
cookies SHOULD send a Cookie request header that follows the older
Netscape specification if it received the cookie ...
... Cookie request header that follows the older
Netscape specification if it received the cookie in a Set-Cookie
response header ...
... header that follows the older
Netscape specification if it received the cookie in a Set-Cookie
response header and not in a Set-Cookie2 ...
... header advises the server that the user agent understands
new-style cookies. If the server understands new-style cookies, as
well, it SHOULD continue the stateful session ...
... user agent understands
new-style cookies. If the server understands new-style cookies, as
well, it SHOULD continue the stateful session by sending a Set-
...
... session by sending a Set-
Cookie2 response header, rather than Set-Cookie. A server that does
not understand new-style cookies will simply ignore the Cookie2
...
... header, rather than Set-Cookie. A server that does
not understand new-style cookies will simply ignore the Cookie2
request header.
...
... cache the Set-Cookie2 and Set-Cookie headers, because there was no
mechanism to suppress caching of headers ...
... security problems. Documents transmitted by an
origin server along with Set-Cookie2 and Set-Cookie headers usually
either will be uncachable, or will be "pre-expired". As long as
...
... caches, and sometimes
serve expired documents without first validating them. This
combination of factors can lead to cookies meant for one user later
being sent to another user. The Set-Cookie2 and Set-Cookie ...
... cookies meant for one user later
being sent to another user. The Set-Cookie2 and Set-Cookie headers
are stored in the cache ...
... Client State -- HTTP Cookies", available at <http://www.netscape.com/newsref/std/cookie_spec.html>, undated. ...
... http://www.netscape.com/newsref/std/cookie_spec.html ...