User Agent
Click on the red underlined text to get to the source
... cookie to refer to the state
information that passes between an origin server and user agent, and
that gets stored by the user agent ...
... We describe here a way for an origin server to send state information
to the user agent, and for the user agent to return the state
...
... state information
to the user agent, and for the user agent to return the state
information to the origin server. The goal is to have a minimal
...
... information to the origin server. The goal is to have a minimal
impact on HTTP and user agents.
...
... Set-Cookie2 response headers with any response.
User agents SHOULD send Cookie request headers, subject ...
...
The VALUE is opaque to the user agent and may be anything the
origin server chooses to send, possibly in a server-selected
printable ASCII ...
... OPTIONAL. The Discard attribute instructs the user agent to
discard the cookie unconditionally when the user agent ...
... valid. If an explicitly specified value
does not start with a dot, the user agent supplies a leading dot. ...
... OPTIONAL. The Secure attribute (with no value) directs the user
agent to use only (unspecified) secure means to contact the origin
server whenever it sends back this cookie, to protect the
...
... The user agent (possibly with user interaction) MAY determine what
level of security it considers appropriate for "secure" cookies ...
... The Secure attribute should be considered security advice from the
server to the user agent, indicating that it is in the session's
interest to protect the cookie ...
... cookie contents. When it sends a "secure"
cookie back to a server, the user agent SHOULD use no less than
the same level of security as was used when it received the cookie ...
... User Agent Role ...
... IP address and
port). The user agent MUST ignore attribute-value pairs whose
attribute it does not recognize. The user agent applies these
...
... port). The user agent MUST ignore attribute-value pairs whose
attribute it does not recognize. The user agent applies these
defaults for optional attributes that are missing:
...
... The default behavior is to discard the cookie when the user
agent exits. ...
... security or privacy
violations, a user agent rejects a cookie according to rules below.
The goal of the rules is to try to limit the set of servers for which
...
...
A user agent rejects (SHALL NOT store its information) if the Version
attribute is missing. Moreover, a user agent ...
... user agent rejects (SHALL NOT store its information) if the Version
attribute is missing. Moreover, a user agent rejects (SHALL NOT
store its information) if any of the following is true of the
attributes explicitly present in the Set-Cookie2 ...
... whichever happens first, then gets discarded: its Max-Age lifetime is
exceeded; or, if the Discard attribute is set, the user agent
terminates the session.
...
...
Because user agents have finite space in which to store cookies, they
MAY also discard older cookies ...
... Set-Cookie2 response header includes a Comment attribute, the
user agent SHOULD store that information in a human-readable form
with the cookie ...
... Set-Cookie2 response header includes a CommentURL attribute, the
user agent SHOULD store that information in a human-readable form
with the cookie ...
... cookie inspection user interface may include a facility whereby a
user can decide, at the time the user agent receives the Set-Cookie2
response header ...
... the user agent receives a cookie that contains a CommentURL
attribute; ...
... cookie inspection interface is configured so
that it presents a dialog to the user before the user agent
accepts the cookie; ...
... the dialog allows the user to follow the CommentURL link when
the user agent receives the cookie; and, ...
... user agent SHOULD NOT send any cookies in this context. The user
agent MAY discard any cookie it receives in this context that the
...
... cookie it receives in this context that the
user has not, through some user agent mechanism, deemed acceptable.
...
...
User agents SHOULD allow the user to control cookie destruction, but
they MUST NOT extend the cookie ...
... When it sends a request
to an origin server, the user agent includes a Cookie request header
...
... header corresponding to the ones in the Set-
Cookie2 response header. The user agent does not return the comment
information to the origin server.
...
...
The user agent applies the following rules to choose applicable
cookie-values to send in Cookie ...
... transaction is unverifiable if the user does not have that option.
Unverifiable transactions typically arise when a user agent
automatically requests inlined or embedded entities or when it
resolves redirection (3xx) responses from an origin server.
...
... initiates, is verifiable, and that transaction may directly or
indirectly induce the user agent to make unverifiable transactions.
...
...
When it makes an unverifiable transaction, a user agent MUST disable
all cookie processing (i.e., MUST NOT send cookies ...
... service author from using
unverifiable transactions to induce a user agent to start or continue
a session ...
...
User agents MAY offer configurable options that allow the user agent,
or any autonomous programs that the user agent ...
...
User agents MAY offer configurable options that allow the user agent,
or any autonomous programs that the user agent executes, to ignore
...
... User agents MAY offer configurable options that allow the user agent,
or any autonomous programs that the user agent executes, to ignore
the above rule, so long as these override options default to "off".
...
...
Many current user agents already provide a review option that would
render many links verifiable. For instance, some user agents ...
... user agents already provide a review option that would
render many links verifiable. For instance, some user agents display
the URL that would be referenced for a particular link ...
... link. The user can therefore determine
whether to visit that site before causing the browser to do so.
(Though not implemented on current user agents, a similar technique
could be used for a button used to submit a form -- the user agent
...
... (Though not implemented on current user agents, a similar technique
could be used for a button used to submit a form -- the user agent
could display the action to be taken if the user were to select that
button.) However, even this would not make all links ...
...
Many user agents also provide the option for a user to view the HTML
source of a document, or to save the source to an external file where
...
...
1. User Agent -> Server
POST /acme/login ...
... User identifies self via a form.
2. Server -> User Agent
HTTP/1.1 ...
... User selects an item for "shopping basket".
4. Server -> User Agent
HTTP/1.1 ...
... Shopping basket contains an item.
5. User Agent -> Server
POST /acme/shipping HTTP/1.1 ...
... User chooses to process order.
8. Server -> User Agent
HTTP/1.1 ...
...
The user agent makes a series of requests on the origin server, after
each of which it receives a new cookie. All the cookies ...
...
Imagine the user agent has received, in response to earlier requests,
the response headers
...
... how and when to garbage-collect the database entry, in case the
user agent terminates the session by, for example, exiting. ...
...
Practical user agent implementations have limits on the number and
size of cookies that they can store. In general, user agents ...
... user agent implementations have limits on the number and
size of cookies that they can store. In general, user agents' cookie
support should have no fixed limits. They should strive to store as
...
... many frequently-used cookies as possible. Furthermore, general-use
user agents SHOULD provide each of the following minimum capabilities
individually, although not necessarily simultaneously:
...
...
User agents created for specific purposes or for limited-capacity
devices SHOULD provide at least 20 cookies ...
... User agents MAY choose to set an
upper bound on the number of cookies to be stored from a given host ...
... cookie information. Otherwise a
malicious server could attempt to flood a user agent with many
cookies, or large cookies ...
... cookies, on successive responses, which would force
out cookies the user agent had received from other servers. However,
the minima specified above SHOULD still be supported.
...
... information in a cookie and should be able to choose whether or not
those policies are acceptable. Both the user agent and the origin
server must assist informed consent.
...
... User Agent Control ...
... subsequently fills out a form that contains identifying information.)
This state management specification therefore requires that a user
agent give the user control over such a possible intrusion, although
the interface through which the user is given this control is left
...
... to notify the user when the user agent is about to send a
cookie to the origin server, to offer the option not to begin a
...
... to let the user decide which cookies, if any, should be saved
when the user concludes a window or user agent session. ...
...
A user agent usually begins execution with no remembered state
information. It SHOULD be possible to configure a user agent ...
... user agent usually begins execution with no remembered state
information. It SHOULD be possible to configure a user agent never
to send Cookie headers ...
... headers, in which case it can never sustain state with
an origin server. (The user agent would then behave like one that is
unaware of how to handle Set-Cookie2 response headers ...
...
When the user agent terminates execution, it SHOULD let the user
discard all state information. Alternatively, the user agent ...
... user agent terminates execution, it SHOULD let the user
discard all state information. Alternatively, the user agent MAY ask
the user whether state information should be retained; the default
...
... should be "no". If the user chooses to retain state information, it
would be restored the next time the user agent runs.
...
...
NOTE: User agents should probably be cautious about using files to
store cookies long-term. If a user runs more than one instance of
...
... store cookies long-term. If a user runs more than one instance of
the user agent, the cookies could be commingled or otherwise
corrupted.
...
...
A user agent in a shared user environment poses a further risk.
Using a cookie inspection interface ...
... victim.cracker.edu.
2. User agent makes request to spoof.cracker.edu, gets back cookie
session-id ...
... Domain=".cracker.edu".
3. User agent makes request to victim.cracker.edu again, and
passes
...
...
A user agent SHOULD make every attempt to prevent the sharing of
session information between hosts ...
... URI for a CGI on host b.com. User
agent implementors are strongly encouraged to prevent this sort of
exchange whenever possible.
...
... Set-Cookie (not Set-Cookie2) header. User agents that
receive in the same response both a Set-Cookie and Set-Cookie2 ...
... information and use only the Set-Cookie2 information. Furthermore, a
user agent MUST assume, if it received a Set-Cookie2 response header,
...
... cookies MUST replace both equivalent old- and new-style cookies.
That is, if a user agent that follows both this specification and
Netscape's original specification receives a Set-Cookie2 response
...
... cookie, the
Netscape-style cookie MUST be discarded, and the user agent MUST
retain only the cookie adhering to this specification.
...
...
Older user agents that do not understand this specification, but that
do understand Netscape's original specification, will not recognize
the Set-Cookie2 ...
...
A user agent that supports both this specification and Netscape-style
cookies SHOULD send a Cookie ...
...
The Cookie2 header advises the server that the user agent understands
new-style cookies. If the server understands new-style cookies ...