draft-ietf-httpstate-cookie-10.txt   draft-ietf-httpstate-cookie-11.txt 
httpstate A. Barth httpstate A. Barth
Internet-Draft U.C. Berkeley Internet-Draft U.C. Berkeley
Obsoletes: 2109 (if approved) July 27, 2010 Obsoletes: 2109 (if approved) September 5, 2010
Intended status: Standards Track Intended status: Standards Track
Expires: January 28, 2011 Expires: March 9, 2011
HTTP State Management Mechanism HTTP State Management Mechanism
draft-ietf-httpstate-cookie-10 draft-ietf-httpstate-cookie-11
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. on the Internet.
skipping to change at page 2, line 33 skipping to change at page 2, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 28, 2011. This Internet-Draft will expire on March 9, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 26 skipping to change at page 3, line 26
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . . 6 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . . 6
2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6
2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 11 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 11
4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . . 11 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . 11 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 12 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 12
4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . 15 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 15 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 15
5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 16 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 16
5.1. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 16 5.1. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 16
5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 16 5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 16
5.1.2. Domains and domain-match . . . . . . . . . . . . . . . 18 5.1.2. Domains and domain-match . . . . . . . . . . . . . . . 18
5.1.3. Paths and path-match . . . . . . . . . . . . . . . . . 18 5.1.3. Paths and path-match . . . . . . . . . . . . . . . . . 18
5.2. The Set-Cookie Header . . . . . . . . . . . . . . . . . . 19 5.2. The Set-Cookie Header . . . . . . . . . . . . . . . . . . 19
5.2.1. The Expires Attribute . . . . . . . . . . . . . . . . 21 5.2.1. The Expires Attribute . . . . . . . . . . . . . . . . 21
5.2.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 21 5.2.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 21
skipping to change at page 12, line 26 skipping to change at page 12, line 26
same set-cookie-string. same set-cookie-string.
Servers SHOULD NOT include more than one Set-Cookie header field in Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name. the same response with the same cookie-name.
If a server sends multiple responses containing Set-Cookie headers If a server sends multiple responses containing Set-Cookie headers
concurrently to the user agent (e.g., when communicating with the concurrently to the user agent (e.g., when communicating with the
user agent over multiple sockets), these responses create a "race user agent over multiple sockets), these responses create a "race
condition" that can lead to unpredictable behavior. condition" that can lead to unpredictable behavior.
NOTE: Some legacy user agents differ on their interpretation of two-
digit years. To avoid compatibility issues, servers SHOULD use the
rfc1123-date format, which requires a four-digit year.
NOTE: Some user agents represent dates using 32-bit UNIX time_t NOTE: Some user agents represent dates using 32-bit UNIX time_t
values. Some of these user agents might contain bugs that cause them values. Some of these user agents might contain bugs that cause them
to process dates after the year 2038 incorrectly. to process dates after the year 2038 incorrectly.
4.1.2. Semantics (Non-Normative) 4.1.2. Semantics (Non-Normative)
This section describes a simplified semantics of the Set-Cookie This section describes a simplified semantics of the Set-Cookie
header. These semantics are detailed enough to be useful for header. These semantics are detailed enough to be useful for
understanding the most common uses of cookies by servers. The full understanding the most common uses of cookies by servers. The full
semantics are described in Section 5. semantics are described in Section 5.
skipping to change at page 17, line 21 skipping to change at page 17, line 21
the year production, set the found-year flag and set the the year production, set the found-year flag and set the
year-value to the number denoted by the date-token. Skip the year-value to the number denoted by the date-token. Skip the
remaining sub-steps and continue to the next date-token. remaining sub-steps and continue to the next date-token.
4. If the found-time flag is not set and the token matches the 4. If the found-time flag is not set and the token matches the
time production, set the found-time flag and set the hour- time production, set the found-time flag and set the hour-
value, minute-value, and second-value to the numbers denoted value, minute-value, and second-value to the numbers denoted
by the digits in the date-token, respectively. Skip the by the digits in the date-token, respectively. Skip the
remaining sub-steps and continue to the next date-token. remaining sub-steps and continue to the next date-token.
3. If the year-value is greater than 68 and less than 100, increment 3. If the year-value is greater than or equal to 70 and less than or
the year-value by 1900. equal to 99, increment the year-value by 1900.
4. If the year-value is greater than or equal to 0 and less than 69, 4. If the year-value is greater than or equal to 0 and less than or
increment the year-value by 2000. equal to 69, increment the year-value by 2000.
1. NOTE: Some legacy user agents interpret two-digit years
differently.
5. Abort these steps and fail to parse the cookie-date if 5. Abort these steps and fail to parse the cookie-date if
* at least one of the found-day-of-month, found-month, found- * at least one of the found-day-of-month, found-month, found-
year, or found-time flags is not set, year, or found-time flags is not set,
* the day-of-month-value is less than 1 or greater than 31, * the day-of-month-value is less than 1 or greater than 31,
* the year-value is less than 1601, * the year-value is less than 1601,
 End of changes. 8 change blocks. 
9 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/