draft-ietf-httpstate-cookie-12.txt   draft-ietf-httpstate-cookie-13.txt 
httpstate A. Barth httpstate A. Barth
Internet-Draft U.C. Berkeley Internet-Draft U.C. Berkeley
Obsoletes: 2109 (if approved) September 16, 2010 Obsoletes: 2109 (if approved) September 24, 2010
Intended status: Standards Track Intended status: Standards Track
Expires: March 20, 2011 Expires: March 28, 2011
HTTP State Management Mechanism HTTP State Management Mechanism
draft-ietf-httpstate-cookie-12 draft-ietf-httpstate-cookie-13
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. on the Internet.
skipping to change at page 2, line 33 skipping to change at page 2, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 20, 2011. This Internet-Draft will expire on March 28, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 7, line 5 skipping to change at page 7, line 5
OWS SHOULD either not be produced or be produced as a single SP OWS SHOULD either not be produced or be produced as a single SP
character. character.
2.3. Terminology 2.3. Terminology
The terms user agent, client, server, proxy, and origin server have The terms user agent, client, server, proxy, and origin server have
the same meaning as in the HTTP/1.1 specification ([RFC2616], Section the same meaning as in the HTTP/1.1 specification ([RFC2616], Section
1.3). 1.3).
The request-host is the fully-qualified domain name of the host to The request-host is the name of the host, as known by the user agent,
which the user agent is sending an HTTP request or is receiving an to which the user agent is sending an HTTP request or is receiving an
HTTP response from (i.e., the fully-qualified domain name of the host HTTP response from (i.e., the name of the host to which it sent the
to which it sent the corresponding HTTP request). corresponding HTTP request).
The term request-uri is defined in Section 5.1.2 of [RFC2616]. The term request-uri is defined in Section 5.1.2 of [RFC2616].
Two sequences of octets are said to case-insensitively match each Two sequences of octets are said to case-insensitively match each
other if and only if they are equivalent under the i;ascii-casemap other if and only if they are equivalent under the i;ascii-casemap
collation defined in [RFC4790]. collation defined in [RFC4790].
The term string means a sequence of octets.
3. Overview 3. Overview
This section outlines a way for an origin server to send state This section outlines a way for an origin server to send state
information to a user agent and for the user agent to return the information to a user agent and for the user agent to return the
state information to the origin server. state information to the origin server.
To store state, the origin server includes a Set-Cookie header in an To store state, the origin server includes a Set-Cookie header in an
HTTP response. In subsequent requests, the user agent returns a HTTP response. In subsequent requests, the user agent returns a
Cookie request header to the origin server. The Cookie header Cookie request header to the origin server. The Cookie header
contains cookies the user agent received in previous Set-Cookie contains cookies the user agent received in previous Set-Cookie
headers. The origin server is free to ignore the Cookie header or headers. The origin server is free to ignore the Cookie header or
use its contents for an application-defined purpose. use its contents for an application-defined purpose.
Origin servers can send a Set-Cookie response header with any Origin servers can send a Set-Cookie response header with any
response. An origin server can include multiple Set-Cookie header response. An origin server can include multiple Set-Cookie header
fields in a single response. fields in a single response.
Note that folding multiple Set-Cookie header fields into a single Note that folding multiple Set-Cookie header fields into a single
header field might change the semantics of the header because the header field might change the semantics of the header because the
U+002C (",") character is used by the Set-Cookie header in a way that %x2C (",") character is used by the Set-Cookie header in a way that
conflicts with such folding. This historical infelicity is conflicts with such folding. This historical infelicity is
incompatible with the usual mechanism for folding HTTP headers as incompatible with the usual mechanism for folding HTTP headers as
defined in [RFC2616]. defined in [RFC2616].
3.1. Examples 3.1. Examples
Using the Set-Cookie header, a server can send the user agent a short Using the Set-Cookie header, a server can send the user agent a short
string in an HTTP response that the user agent will return in future string in an HTTP response that the user agent will return in future
HTTP requests. For example, the server can send the user agent a HTTP requests. For example, the server can send the user agent a
"session identifier" named SID with the value 31d4d96e407aad42. The "session identifier" named SID with the value 31d4d96e407aad42. The
skipping to change at page 11, line 45 skipping to change at page 11, line 45
cookie-av = expires-av / max-age-av / domain-av / cookie-av = expires-av / max-age-av / domain-av /
path-av / secure-av / httponly-av / path-av / secure-av / httponly-av /
extension-av extension-av
expires-av = "Expires=" sane-cookie-date expires-av = "Expires=" sane-cookie-date
sane-cookie-date = <rfc1123-date, defined in [RFC2616], Section 3.3.1> sane-cookie-date = <rfc1123-date, defined in [RFC2616], Section 3.3.1>
max-age-av = "Max-Age=" 1*DIGIT max-age-av = "Max-Age=" 1*DIGIT
domain-av = "Domain=" domain-value domain-av = "Domain=" domain-value
domain-value = <subdomain> domain-value = <subdomain>
; defined in [RFC1034], Section 3.5, as ; defined in [RFC1034], Section 3.5, as
; enhanced by [RFC1123], Section 2.1> ; enhanced by [RFC1123], Section 2.1
path-av = "Path=" path-value path-av = "Path=" path-value
path-value = <any CHAR except CTLs or ";"> path-value = <any CHAR except CTLs or ";">
secure-av = "Secure" secure-av = "Secure"
httponly-av = "HttpOnly" httponly-av = "HttpOnly"
extension-av = <any CHAR except CTLs or ";"> extension-av = <any CHAR except CTLs or ";">
Note that some of the grammatical terms above reference documents Note that some of the grammatical terms above reference documents
that use different grammatical notations than this document (which that use different grammatical notations than this document (which
uses ABNF from [RFC5234]). uses ABNF from [RFC5234]).
The semantics of the cookie-value are not defined by this document. The semantics of the cookie-value are not defined by this document.
skipping to change at page 13, line 42 skipping to change at page 13, line 42
cookie. If a cookie has neither the Max-Age nor the Expires cookie. If a cookie has neither the Max-Age nor the Expires
attribute, the user agent will retain the cookie until "the current attribute, the user agent will retain the cookie until "the current
session is over" (as defined by the user agent). session is over" (as defined by the user agent).
4.1.2.3. The Domain Attribute 4.1.2.3. The Domain Attribute
The Domain attribute specifies those hosts to which the cookie will The Domain attribute specifies those hosts to which the cookie will
be sent. For example, if the value of the Domain attribute is be sent. For example, if the value of the Domain attribute is
"example.com", the user agent will include the cookie in the Cookie "example.com", the user agent will include the cookie in the Cookie
header when making HTTP requests to example.com, www.example.com, and header when making HTTP requests to example.com, www.example.com, and
www.corp.example.com. (Note that a leading U+002E ("."), if present, www.corp.example.com. (Note that a leading %x2E ("."), if present,
is ignored even though that character is not permitted.) If the is ignored even though that character is not permitted.) If the
server omits the Domain attribute, the user agent will return the server omits the Domain attribute, the user agent will return the
cookie only to the origin server. cookie only to the origin server.
WARNING: Some legacy user agents treat an absent Domain attribute WARNING: Some legacy user agents treat an absent Domain attribute
as if the Domain attribute were present and contained the current as if the Domain attribute were present and contained the current
host name. For example, if example.com returns a Set-Cookie host name. For example, if example.com returns a Set-Cookie
header without a Domain attribute, these user agents will header without a Domain attribute, these user agents will
erroneously send the cookie to www.example.com as well. erroneously send the cookie to www.example.com as well.
skipping to change at page 14, line 25 skipping to change at page 14, line 25
4.1.2.4. The Path Attribute 4.1.2.4. The Path Attribute
The scope of each cookie is limited to a set of paths, controlled by The scope of each cookie is limited to a set of paths, controlled by
the Path attribute. If the server omits the Path attribute, the user the Path attribute. If the server omits the Path attribute, the user
agent will use the "directory" of the request-uri's path component as agent will use the "directory" of the request-uri's path component as
the default value. (See Section 5.1.4 for more details.) the default value. (See Section 5.1.4 for more details.)
The user agent will include the cookie in an HTTP request only if the The user agent will include the cookie in an HTTP request only if the
path portion of the request-uri matches (or is a subdirectory of) the path portion of the request-uri matches (or is a subdirectory of) the
cookie's Path attribute, where the U+002F ("/") character is cookie's Path attribute, where the %x2F ("/") character is
interpreted as a directory separator. interpreted as a directory separator.
Although seemingly useful for isolating cookies between different Although seemingly useful for isolating cookies between different
paths within a given domain, the Path attribute cannot be relied upon paths within a given host, the Path attribute cannot be relied upon
for security (see Section 8). for security (see Section 8).
4.1.2.5. The Secure Attribute 4.1.2.5. The Secure Attribute
The Secure attribute limits the scope of the cookie to "secure" The Secure attribute limits the scope of the cookie to "secure"
channels (where "secure" is defined by the user agent). When a channels (where "secure" is defined by the user agent). When a
cookie has the Secure attribute, the user agent will include the cookie has the Secure attribute, the user agent will include the
cookie in an HTTP request only if the request is transmitted over a cookie in an HTTP request only if the request is transmitted over a
secure channel (typically HTTP over SSL, HTTP over TLS [RFC2818], and secure channel (typically HTTP over SSL, HTTP over TLS [RFC2818], and
TLS [RFC5246] itself). TLS [RFC5246] itself).
skipping to change at page 15, line 26 skipping to change at page 15, line 26
cookie-string = cookie-pair *( ";" SP cookie-pair ) cookie-string = cookie-pair *( ";" SP cookie-pair )
4.2.2. Semantics 4.2.2. Semantics
Each cookie-pair represents a cookie stored by the user agent. The Each cookie-pair represents a cookie stored by the user agent. The
cookie-pair contains the cookie-name and cookie-value the user agent cookie-pair contains the cookie-name and cookie-value the user agent
received in the Set-Cookie header. received in the Set-Cookie header.
Notice that the cookie attributes are not returned. In particular, Notice that the cookie attributes are not returned. In particular,
the server cannot determine from the Cookie header alone when a the server cannot determine from the Cookie header alone when a
cookie will expire, for which domains the cookie is valid, for which cookie will expire, for which hosts the cookie is valid, for which
paths the cookie is valid, or whether the cookie was set with the paths the cookie is valid, or whether the cookie was set with the
Secure or HttpOnly attributes. Secure or HttpOnly attributes.
The semantics of individual cookies in the Cookie header are not The semantics of individual cookies in the Cookie header are not
defined by this document. Servers are expected to imbue these defined by this document. Servers are expected to imbue these
cookies with application-specific semantics. cookies with application-specific semantics.
Although cookies are serialized linearly in the Cookie header, Although cookies are serialized linearly in the Cookie header,
servers SHOULD NOT rely upon the serialization order. In particular, servers SHOULD NOT rely upon the serialization order. In particular,
if the Cookie header contains two cookies with the same name (e.g., if the Cookie header contains two cookies with the same name (e.g.,
skipping to change at page 16, line 28 skipping to change at page 16, line 28
5.1.1. Dates 5.1.1. Dates
The user agent MUST use an algorithm equivalent to the following The user agent MUST use an algorithm equivalent to the following
algorithm to parse a cookie-date. Note that the various boolean algorithm to parse a cookie-date. Note that the various boolean
flags defined as a part of the algorithm are initially "not set". flags defined as a part of the algorithm are initially "not set".
1. Using the grammar below, divide the cookie-date into date-tokens. 1. Using the grammar below, divide the cookie-date into date-tokens.
cookie-date = *delimiter date-token-list *delimiter cookie-date = *delimiter date-token-list *delimiter
date-token-list = date-token *( 1*delimiter date-token ) date-token-list = date-token *( 1*delimiter date-token )
date-token = 1*non-delimiter
delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E
date-token = day-of-month / month / year / time / mystery non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA / %x7F-FF
day-of-month = 1*2DIGIT non-digit = %x00-2F / %x3A-FF
month = "jan" [ mystery ] / "feb" [ mystery ] /
"mar" [ mystery ] / "apr" [ mystery ] / day-of-month = 1*2DIGIT ( non-digit *OCTET )
"may" [ mystery ] / "jun" [ mystery ] / month = ( "jan" / "feb" / "mar" / "apr" /
"jul" [ mystery ] / "aug" [ mystery ] / "may" / "jun" / "jul" / "aug" /
"sep" [ mystery ] / "oct" [ mystery ] / "sep" / "oct" / "nov" / "dec" ) *OCTET
"nov" [ mystery ] / "dec" [ mystery ] year = 1*4DIGIT ( non-digit *OCTET )
year = 1*4DIGIT time = hms-time ( non-digit *OCTET )
time = time-field ":" time-field ":" time-field hms-time = time-field ":" time-field ":" time-field
time-field = 1*2DIGIT time-field = 1*2DIGIT
CTLwoHTAB = %x00-08 / %x0A-1F / %x7F
; CTL except HTAB
mystery = CTLwoHTAB / ":" / ALPHA / DIGIT / %x80-FF
; any OCTET except a delimiter
2. Process each date-token sequentially in the order the date-tokens 2. Process each date-token sequentially in the order the date-tokens
appear in the cookie-date: appear in the cookie-date:
1. If the found-day-of-month flag is not set and the date-token 1. If the found-day-of-month flag is not set and the date-token
matches the day-of-month production, set the found-day-of- matches the day-of-month production, set the found-day-of-
month flag and set the day-of-month-value to the number month flag and set the day-of-month-value to the number
denoted by the date-token. Skip the remaining sub-steps and denoted by the date-token. Skip the remaining sub-steps and
continue to the next date-token. continue to the next date-token.
skipping to change at page 18, line 7 skipping to change at page 18, line 7
6. Let the parsed-cookie-date be the date whose day-of-month, month, 6. Let the parsed-cookie-date be the date whose day-of-month, month,
year, hour, minute, and second (in GMT) are the day-of-month- year, hour, minute, and second (in GMT) are the day-of-month-
value, the month-value, the year-value, the hour-value, the value, the month-value, the year-value, the hour-value, the
minute-value, and the second-value, respectively. If no such minute-value, and the second-value, respectively. If no such
date exists, abort these steps and fail to parse the cookie-date. date exists, abort these steps and fail to parse the cookie-date.
7. Return the parsed-cookie-date as the result of this algorithm. 7. Return the parsed-cookie-date as the result of this algorithm.
5.1.2. Canonicalized host names 5.1.2. Canonicalized host names
A canonicalized domain name is the string generated by the following A canonicalized host name is the string generated by the following
algorithm: algorithm:
1. Convert the domain name to a sequence of NR-LDH labels (see 1. Convert the host name to a sequence of NR-LDH labels (see Section
Section 2.3.2.2 of [RFC5890]) and/or A-labels according to the 2.3.2.2 of [RFC5890]) and/or A-labels according to the
appropriate IDNA specification [RFC5891] or [RFC3490] (see appropriate IDNA specification [RFC5891] or [RFC3490] (see
Section 6.3 of this specification) Section 6.3 of this specification)
2. Convert the labels to lower case. 2. Convert the labels to lower case.
3. Concatenate the labels, separating each label from the next with 3. Concatenate the labels, separating each label from the next with
a U+002E (".") character. a %x2E (".") character.
5.1.3. Domain matching 5.1.3. Domain matching
A string domain-matches a given domain string if at least one of the A string domain-matches a given domain string if at least one of the
following conditions hold: following conditions hold:
o The domain string and the string are identical. o The domain string and the string are identical.
o All of the following conditions hold: o All of the following conditions hold:
* The domain string is a suffix of the string. * The domain string is a suffix of the string.
* The last character of the string that is not included in the * The last character of the string that is not included in the
domain string is a U+002E (".") character. domain string is a %x2E (".") character.
* The string is a host name (i.e., not an IP address). * The string is a host name (i.e., not an IP address).
5.1.4. Paths and path-match 5.1.4. Paths and path-match
The user agent MUST use an algorithm equivalent to the following The user agent MUST use an algorithm equivalent to the following
algorithm to compute the default-path of a cookie: algorithm to compute the default-path of a cookie:
1. Let uri-path be the path portion of the request-uri if such a 1. Let uri-path be the path portion of the request-uri if such a
portion exists (and empty otherwise). For example, if the portion exists (and empty otherwise). For example, if the
request-uri contains just a path (and optional query string), request-uri contains just a path (and optional query string),
then the uri-path is that path (without the U+003F ("?") then the uri-path is that path (without the %x3F ("?") character
character or query string), and if the request-uri contains a or query string), and if the request-uri contains a full
full absoluteURI, the uri-path is the path component of that URI. absoluteURI, the uri-path is the path component of that URI.
2. If the uri-path is empty or if first character of the uri-path is 2. If the uri-path is empty or if first character of the uri-path is
not a U+002F ("/") character, output U+002F ("/") and skip the not a %x2F ("/") character, output %x2F ("/") and skip the
remaining steps. remaining steps.
3. If the uri-path contains only a single U+002F ("/") character, 3. If the uri-path contains only a single %x2F ("/") character,
output U+002F ("/") and skip the remaining steps. output %x2F ("/") and skip the remaining steps.
4. Output the characters of the uri-path from the first character up 4. Output the characters of the uri-path from the first character up
to, but not including, the right-most U+002F ("/"). to, but not including, the right-most %x2F ("/").
A request-path path-matches a given cookie-path if at least one of A request-path path-matches a given cookie-path if at least one of
the following conditions hold: the following conditions hold:
o The cookie-path and the request-path are identical. o The cookie-path and the request-path are identical.
o The cookie-path is a prefix of the request-path and the last o The cookie-path is a prefix of the request-path and the last
character of the cookie-path is U+002F ("/"). character of the cookie-path is %x2F ("/").
o The cookie-path is a prefix of the request-path and the first o The cookie-path is a prefix of the request-path and the first
character of the request-path that is not included in the cookie- character of the request-path that is not included in the cookie-
path is a U+002F ("/") character. path is a %x2F ("/") character.
5.2. The Set-Cookie Header 5.2. The Set-Cookie Header
When a user agent receives a Set-Cookie header field in an HTTP When a user agent receives a Set-Cookie header field in an HTTP
response, the user agent MUST parse the field-value of the Set-Cookie response, the user agent MUST parse the field-value of the Set-Cookie
header field as a set-cookie-string (defined below). header field as a set-cookie-string (defined below).
NOTE: The algorithm below is more permissive than the grammar in NOTE: The algorithm below is more permissive than the grammar in
Section 4.1. For example, the algorithm strips leading and trailing Section 4.1. For example, the algorithm strips leading and trailing
whitespace from the cookie name and value (but maintains internal whitespace from the cookie name and value (but maintains internal
whitespace), whereas the grammar in Section 4.1 forbids whitespace in whitespace), whereas the grammar in Section 4.1 forbids whitespace in
these positions. User agents use this algorithm so as to these positions. User agents use this algorithm so as to
interoperate with servers that do not follow the recommendations in interoperate with servers that do not follow the recommendations in
Section 4. Section 4.
A user agent MUST use an algorithm equivalent to the following A user agent MUST use an algorithm equivalent to the following
algorithm to parse a "set-cookie-string": algorithm to parse a "set-cookie-string":
1. If the set-cookie-string contains a U+003B (";") character: 1. If the set-cookie-string contains a %x3B (";") character:
The name-value-pair string consists of the characters up to, The name-value-pair string consists of the characters up to,
but not including, the first U+003B (";"), and the unparsed- but not including, the first %x3B (";"), and the unparsed-
attributes consist of the remainder of the set-cookie-string attributes consist of the remainder of the set-cookie-string
(including the U+003B (";") in question). (including the %x3B (";") in question).
Otherwise: Otherwise:
The name-value-pair string consists of all the characters The name-value-pair string consists of all the characters
contained in the set-cookie-string, and the unparsed- contained in the set-cookie-string, and the unparsed-
attributes is the empty string. attributes is the empty string.
2. If the name-value-pair string lacks a U+003D ("=") character, 2. If the name-value-pair string lacks a %x3D ("=") character,
ignore the set-cookie-string entirely. ignore the set-cookie-string entirely.
3. The (possibly empty) name string consists of the characters up 3. The (possibly empty) name string consists of the characters up
to, but not including, the first U+003D ("=") character, and the to, but not including, the first %x3D ("=") character, and the
(possibly empty) value string consists of the characters after (possibly empty) value string consists of the characters after
the first U+003D ("=") character. the first %x3D ("=") character.
4. Remove any leading or trailing WSP characters from the name 4. Remove any leading or trailing WSP characters from the name
string and the value string. string and the value string.
5. If the name string is empty, ignore the set-cookie-string 5. If the name string is empty, ignore the set-cookie-string
entirely. entirely.
6. The cookie-name is the name string, and the cookie-value is the 6. The cookie-name is the name string, and the cookie-value is the
value string. value string.
The user agent MUST use an algorithm equivalent to the following The user agent MUST use an algorithm equivalent to the following
algorithm to parse the unparsed-attributes: algorithm to parse the unparsed-attributes:
1. If the unparsed-attributes string is empty, skip the rest of 1. If the unparsed-attributes string is empty, skip the rest of
these steps. these steps.
2. Discard the first character of the unparsed-attributes (which 2. Discard the first character of the unparsed-attributes (which
will be a U+003B (";") character). will be a %x3B (";") character).
3. If the remaining unparsed-attributes contains a U+003B (";") 3. If the remaining unparsed-attributes contains a %x3B (";")
character: character:
Consume the characters of the unparsed-attributes up to, but Consume the characters of the unparsed-attributes up to, but
not including, the first U+003B (";") character. not including, the first %x3B (";") character.
Otherwise: Otherwise:
Consume the remainder of the unparsed-attributes. Consume the remainder of the unparsed-attributes.
Let the cookie-av string be the characters consumed in this step. Let the cookie-av string be the characters consumed in this step.
4. If the cookie-av string contains a U+003D ("=") character: 4. If the cookie-av string contains a %x3D ("=") character:
The (possibly empty) attribute-name string consists of the The (possibly empty) attribute-name string consists of the
characters up to, but not including, the first U+003D ("=") characters up to, but not including, the first %x3D ("=")
character, and the (possibly empty) attribute-value string character, and the (possibly empty) attribute-value string
consists of the characters after the first U+003D ("=") consists of the characters after the first %x3D ("=")
character. character.
Otherwise: Otherwise:
The attribute-name string consists of the entire cookie-av The attribute-name string consists of the entire cookie-av
string, and the attribute-value string is empty. string, and the attribute-value string is empty.
5. Remove any leading or trailing WSP characters from the attribute- 5. Remove any leading or trailing WSP characters from the attribute-
name string and the attribute-value string. name string and the attribute-value string.
skipping to change at page 22, line 25 skipping to change at page 22, line 25
name of Max-Age and an attribute-value of expiry-time. name of Max-Age and an attribute-value of expiry-time.
5.2.3. The Domain Attribute 5.2.3. The Domain Attribute
If the attribute-name case-insensitively matches the string "Domain", If the attribute-name case-insensitively matches the string "Domain",
the user agent MUST process the cookie-av as follows. the user agent MUST process the cookie-av as follows.
If the attribute-value is empty, the behavior is undefined. However, If the attribute-value is empty, the behavior is undefined. However,
user agent SHOULD ignore the cookie-av entirely. user agent SHOULD ignore the cookie-av entirely.
If the first character of the attribute-value string is U+002E ("."): If the first character of the attribute-value string is %x2E ("."):
Let cookie-domain be the attribute-value without the leading Let cookie-domain be the attribute-value without the leading %x2E
U+002E (".") character. (".") character.
Otherwise: Otherwise:
Let cookie-domain be the entire attribute-value. Let cookie-domain be the entire attribute-value.
Convert the cookie-domain to lower case. Convert the cookie-domain to lower case.
Append an attribute to the cookie-attribute-list with an attribute- Append an attribute to the cookie-attribute-list with an attribute-
name of Domain and an attribute-value of cookie-domain. name of Domain and an attribute-value of cookie-domain.
5.2.4. The Path Attribute 5.2.4. The Path Attribute
If the attribute-name case-insensitively matches the string "Path", If the attribute-name case-insensitively matches the string "Path",
the user agent MUST process the cookie-av as follows. the user agent MUST process the cookie-av as follows.
If the attribute-value is empty or if the first character of the If the attribute-value is empty or if the first character of the
attribute-value is not U+002F ("/"): attribute-value is not %x2F ("/"):
Let cookie-path be the default-path. Let cookie-path be the default-path.
Otherwise: Otherwise:
Let cookie-path be the attribute-value. Let cookie-path be the attribute-value.
Append an attribute to the cookie-attribute-list with an attribute- Append an attribute to the cookie-attribute-list with an attribute-
name of Path and an attribute-value of cookie-path. name of Path and an attribute-value of cookie-path.
skipping to change at page 28, line 13 skipping to change at page 28, line 13
this order reflects common practice when this document was this order reflects common practice when this document was
written, and, historically, there have been servers that written, and, historically, there have been servers that
(erroneously) depended on this order. (erroneously) depended on this order.
3. Update the last-access-time of each cookie in the cookie-list to 3. Update the last-access-time of each cookie in the cookie-list to
the current date and time. the current date and time.
4. Serialize the cookie-list into a cookie-string by processing each 4. Serialize the cookie-list into a cookie-string by processing each
cookie in the cookie-list in order: cookie in the cookie-list in order:
1. Output the cookie's name, the U+003D ("=") character, and the 1. Output the cookie's name, the %x3D ("=") character, and the
cookie's value. cookie's value.
2. If there is an unprocessed cookie in the cookie-list, output 2. If there is an unprocessed cookie in the cookie-list, output
the characters U+003B and U+0020 ("; "). the characters %x3B and %x20 ("; ").
NOTE: Despite its name, the cookie-string is actually a sequence of NOTE: Despite its name, the cookie-string is actually a sequence of
octets, not a sequence of characters. To convert the cookie-string octets, not a sequence of characters. To convert the cookie-string
(or components thereof) into a sequence of characters (e.g., for (or components thereof) into a sequence of characters (e.g., for
presentation to the user), the user agent might wish use the UTF-8 presentation to the user), the user agent might wish use the UTF-8
character encoding [RFC3629] to decode the octet sequence. character encoding [RFC3629] to decode the octet sequence.
6. Implementation Considerations 6. Implementation Considerations
6.1. Limits 6.1. Limits
skipping to change at page 29, line 52 skipping to change at page 29, line 52
serialized date string. serialized date string.
6.3. IDNA dependency and migration 6.3. IDNA dependency and migration
IDNA2008 [RFC5890] supersedes IDNA2003 [RFC3490] but is not IDNA2008 [RFC5890] supersedes IDNA2003 [RFC3490] but is not
backwards-compatible. For this reason, there will be a transition backwards-compatible. For this reason, there will be a transition
period (possibly of a number of years). User agents SHOULD implement period (possibly of a number of years). User agents SHOULD implement
IDNA2008 [RFC5890] and MAY implement [Unicode Technical Standard #46 IDNA2008 [RFC5890] and MAY implement [Unicode Technical Standard #46
<http://unicode.org/reports/tr46/>] in order to facilitate a smoother <http://unicode.org/reports/tr46/>] in order to facilitate a smoother
IDNA transition. If a user agent does not implement IDNA2008, the IDNA transition. If a user agent does not implement IDNA2008, the
user agents MUST implement IDNA2003 [RFC3490]. user agent MUST implement IDNA2003 [RFC3490].
7. Privacy Considerations 7. Privacy Considerations
Cookies are often criticized for letting servers track users. For Cookies are often criticized for letting servers track users. For
example, a number of "web analytics" companies use cookies to example, a number of "web analytics" companies use cookies to
recognize when a user returns to a web site or visits another web recognize when a user returns to a web site or visits another web
site. Although cookies are not the only mechanism servers can use to site. Although cookies are not the only mechanism servers can use to
track users across HTTP requests, cookies facilitate tracking because track users across HTTP requests, cookies facilitate tracking because
they are persistent across user agent sessions and can be shared they are persistent across user agent sessions and can be shared
between domains. between hosts.
7.1. Third-Party Cookies 7.1. Third-Party Cookies
Particularly worrisome are so-called "third-party" cookies. In Particularly worrisome are so-called "third-party" cookies. In
rendering an HTML document, a user agent often requests resources rendering an HTML document, a user agent often requests resources
from other servers (such as advertising networks). These third-party from other servers (such as advertising networks). These third-party
servers can use cookies to track the user even if the user never servers can use cookies to track the user even if the user never
visits the server directly. visits the server directly.
Some user agents restrict how third-party cookies behave. For Some user agents restrict how third-party cookies behave. For
 End of changes. 44 change blocks. 
62 lines changed or deleted 62 lines changed or added

This html diff was produced by rfcdiff 1.39. The latest version is available from http://tools.ietf.org/tools/rfcdiff/