Identifying origin server of HTTP Cookies
draft-pettersen-cookie-origin-02

Abstract

HTTP Cookies, as originally defined by Netscape in [NETSC] and as later updated by [RFC2109] , [RFC2965], and [I-D.ietf-httpstate-cookie] did not address the issue of how to restrict for which domains a server is allowed to set a cookie. This is particularly a problem for servers hosted in top-level domains having subdomains that are controlled by registries and not by domain owners, e.g., "co.uk" and "city.state.us" domains. In such situations, unless the client uses some kind of domain black-list, it is possible for a malicious server to set cookies, so they are sent to all servers in a domain the attacker does not control. These cookies may adveresly affect the function of servers receiving them. The primary reason this is a problem is that the server receiving the cookie has no way of telling which server originally set it; therefore it is not able to distinguish reliably an invalid cookie from a valid one. This document proposes a new attribute, "$Origin", that is associated with each cookie and sent in all client cookie headers in the requests sent to the server. Servers recognizing the attribute may then check to see if the cookie was set by a server, which is allowed to set cookies for the server and, if necessary, ignore the cookie. This document updates RFC 2109 and RFC 2965.

Authors

Yngve Pettersen

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)