SCS: KoanLogic's Secure Cookie Sessions for HTTP
RFC 6896

Document Type RFC - Informational (March 2013; Errata)
Last updated 2013-03-19
Stream ISE
Formats plain text pdf html
IETF conflict review conflict-review-secure-cookie-session-protocol
Stream ISE state Published RFC
Document shepherd No shepherd assigned
IESG IESG state RFC 6896 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Independent Submission                                        S. Barbato
Request for Comments: 6896                                  S. Dorigotti
Category: Informational                                  T. Fossati, Ed.
ISSN: 2070-1721                                                KoanLogic
                                                              March 2013

            SCS: KoanLogic's Secure Cookie Sessions for HTTP

Abstract

   This memo defines a generic URI and HTTP-header-friendly envelope for
   carrying symmetrically encrypted, authenticated, and origin-
   timestamped tokens.  It also describes one possible usage of such
   tokens via a simple protocol based on HTTP cookies.

   Secure Cookie Session (SCS) use cases cover a wide spectrum of
   applications, ranging from distribution of authorized content via
   HTTP (e.g., with out-of-band signed URIs) to securing browser
   sessions with diskless embedded devices (e.g., Small Office, Home
   Office (SOHO) routers) or web servers with high availability or load-
   balancing requirements that may want to delegate the handling of the
   application state to clients instead of using shared storage or
   forced peering.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6896.

Barbato, et al.               Informational                     [Page 1]
RFC 6896                           SCS                        March 2013

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Barbato, et al.               Informational                     [Page 2]
RFC 6896                           SCS                        March 2013

Table of Contents

   1. Introduction ....................................................4
   2. Requirements Language ...........................................4
   3. SCS Protocol ....................................................5
      3.1. SCS Cookie Description .....................................5
           3.1.1. ATIME ...............................................6
           3.1.2. DATA ................................................6
           3.1.3. TID .................................................7
           3.1.4. IV ..................................................7
           3.1.5. AUTHTAG .............................................7
      3.2. Crypto Transform ...........................................8
           3.2.1. Choice and Role of the Framing Symbol ...............8
           3.2.2. Cipher Set ..........................................9
           3.2.3. Compression .........................................9
           3.2.4. Cookie Encoding .....................................9
           3.2.5. Outbound Transform ..................................9
           3.2.6. Inbound Transform ..................................10
      3.3. PDU Exchange ..............................................12
           3.3.1. Cookie Attributes ..................................12
                  3.3.1.1. Expires ...................................12
                  3.3.1.2. Max-Age ...................................12
                  3.3.1.3. Domain ....................................13
                  3.3.1.4. Secure ....................................13
                  3.3.1.5. HttpOnly ..................................13
   4. Key Management and Session State ...............................13
   5. Cookie Size Considerations .....................................15
   6. Acknowledgements ...............................................15
   7. Security Considerations ........................................15
      7.1. Security of the Cryptographic Protocol ....................15
      7.2. Impact of the SCS Cookie Model ............................16
           7.2.1. Old Cookie Replay ..................................16
Show full document text