Skip to main content

Identifying origin server of HTTP Cookies

Document Type Expired Internet-Draft (individual)
Expired & archived
Author Yngve Pettersen
Last updated 2011-03-14
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


HTTP Cookies, as originally defined by Netscape in [NETSC] and as later updated by [RFC2109] , [RFC2965], and [I-D.ietf-httpstate-cookie] did not address the issue of how to restrict for which domains a server is allowed to set a cookie. This is particularly a problem for servers hosted in top-level domains having subdomains that are controlled by registries and not by domain owners, e.g., "" and "" domains. In such situations, unless the client uses some kind of domain black-list, it is possible for a malicious server to set cookies, so they are sent to all servers in a domain the attacker does not control. These cookies may adveresly affect the function of servers receiving them. The primary reason this is a problem is that the server receiving the cookie has no way of telling which server originally set it; therefore it is not able to distinguish reliably an invalid cookie from a valid one. This document proposes a new attribute, "$Origin", that is associated with each cookie and sent in all client cookie headers in the requests sent to the server. Servers recognizing the attribute may then check to see if the cookie was set by a server, which is allowed to set cookies for the server and, if necessary, ignore the cookie. This document updates RFC 2109 and RFC 2965.


Yngve Pettersen

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)