18

I was wondered whether there is a survey or report of the current state of browser compliance with the three Cookie specifications: Netscape’s original draft, RFC 2109, and RFC 2965 that obsoletes RFC 2109.

I know that, due to its age, Netscape’s draft will be supported by most clients. But some recommend not to use it any more, e.g. this tutorial on Apache’s HttpClient:

Netscape draft: This specification conforms to the original draft specification published by Netscape Communications. It should be avoided unless absolutely necessary for compatibility with legacy code.

So what about the other specification? Are they ready to be used yet?

Community
  • 1
  • 1
Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • There doesn't seem to be any hard information out there answering your question. One way to get some data would be to write an application that tries setting cookies in various ways and logs the results together with the browser information, then get many people to surf to it. You can probably get a lot of people to do it for free; there's also Mechanical Turk. – Tom Zych Mar 25 '11 at 11:00
  • @Tom Zych: I know. But I’m a little lazy right now and hoped that there already is such a survey. :) – Gumbo Mar 25 '11 at 11:01
  • Doesn't look like it. But with 500 rep at stake, perhaps someone will do one soon :) – Tom Zych Mar 25 '11 at 11:17
  • @Tom Zych: That’s what I’m hoping for. :) But I guess I'm going to write my own test suite. – Gumbo Mar 25 '11 at 11:25
  • I started to create a test suite, but I don't think there is any point in it. So far only tested in Chrome and FF, but none of them support `Set-Cookie2`. Neither they send the *dollar* variables back at all (even if the cookie was sent with `Version=1`). So at this point I don't think there is any point in testing further. – vbence Apr 06 '11 at 10:55
  • UPDATE NOTICE: The current (as of now) **HTTP State Management Mechanism** specification is [**RFC 6265**](http://tools.ietf.org/html/rfc6265), it obsoletes the previous spec RFC 2965. – informatik01 Jun 24 '13 at 13:15

3 Answers3

1

The consensus seems to be that they still aren't ready to be used yet. Some of the reasons for that are mentioned here and mostly relate to browser compliance.

However, on a hunch, I suspect your motive for asking this might relate to the session hijacking problem that has been brought into the limelight by applications like FireSheep.

If that's the case, I came across an interesting paper proposing a solution to the problem called OTC's—one-time cookies. It might be worth a read. It's title is One-Time Cookies: Preventing Session Hijacking Attacks with Disposable Credentials and it's from 4 PhD students at Georgia Tech.

(In case that google Docs link doesn't work here's a direct link to the PDF.)

In summary, it basically concludes:

While completely replacing HTTP with HTTPS will improve the overall security of the Web, it can be a challenging and complex project for some web applications . . . As a result, many web applications will remain vulnerable while site-wide HTTPS is being deployed, a process that is likely to take several years.

...

By relying on a well-known cryptographic construction such as hash chains, OTC creates disposable authentication tokens that cannot be reused, providing more robust session integrity . . . OTC is considerably more efficient than HTTPS and has approximately the same performance as current cookie-based mechanisms.

It's a very interesting read. I hope that helps someone in some way,

~gMale

Community
  • 1
  • 1
gMale
  • 17,147
  • 17
  • 91
  • 116
  • Thank you for your answer. My question actually aimed for an overview of the current status on the compliance with the three different (de-facto) standards of current web browsers. Funnily enough, I’ve also answered on the question that you liked. But the answer are that unspecific that they are quite worthless for this question (my answer included). – Gumbo Mar 22 '11 at 17:22
1

The most recent survey out there seems to be the one written by Ka-Ping Yee in 2002, which is considered ancient in the evolution of WWW/Internet. The upside is that it surveyed 12 browsers across 3 OSs, which may give an fair insight about how they adapted cookie management.

Yee, Ka-Ping, "A survey of Cookie Management Functionality and Usability in Web browsers," http://zesty.ca/2002/priv/cookie-survey.pdf, 2002.

Another more recent article, although less relevant, is written by Yue, Xie, and Wang in 2009 (published in 2010). It conducted a large-scale study on HTTP cookie management with more than 5000 websites, using a system that can automatically validate the usefulness of cookies from a website and set the cookie usage permission on behalf of users.

Chuan Yue, Mengjun Xie, and Haining Wang, "An Automatic HTTP Cookie Management System," in Journal of Computer Networks (COMNET), 54(13) pp. 2182--2198, 2010.

William Niu
  • 15,798
  • 7
  • 53
  • 93
0

You might want to check

http://lists.w3.org/Archives/Public/www-tag/2011Mar/0021.html

which refers to

http://www.ietf.org/id/draft-ietf-httpstate-cookie-23.txt

This is intended to obsolete RFC 2965.

"Document Quality

This document defines the HTTP Cookie and Set-Cookie HTTP
header fields as they are presently utilized on the Internet. As a
result, there are already many implementations of this specification."
Matthew Wilson
  • 3,861
  • 21
  • 14
  • And how does this answer my question on the browsers’ compliance with the mentioned specifications? – Gumbo Mar 30 '11 at 13:13
  • It seemed like useful and current information about which specs browsers are compliant with. Would you have preferred it as a comment instead of an answer? – Matthew Wilson Mar 30 '11 at 14:16
  • I didn’t read the draft yet to get to know how it differs from RFC 2965. But besides that, there are many RFCs that are obsolete but still in use in todays browsers. So I guess your post is rather a commentary note than an answer to my question. But thanks anyway. – Gumbo Mar 30 '11 at 14:48