The HTTP State Management Mechanism (Cookies) was original created by Netscape Communications in their Netscape cookie specification, from which a formal specification followed (RFC 2109, RFC 2965). Due to years of implementation and extension, several ambiguities have become evident, impairing interoperability and the ability to easily implement and use HTTP State Management Mechanism.
I’m on the list from the start and I hope to be able to contribute some of my cookie experiences and knowledge to aid the document to actually end up with something useful. The ambition, while it was “toned down” somewhat since the initial posts of the mailing lists, is still fairly high I would claim:
The working group will refine RFC2965 to:
- Incorporate errata and updates
- Clarify conformance requirements
- Remove known ambiguities where they affect interoperability
- Clarify existing methods of extensibility
- Remove or deprecate those features that are not widely implemented and also unduly affect interoperability
- Add features that are already widely implemented or have a critical mass of support
- Where necessary, add implementation advice
- Document the security properties of HTTP State Management Mechanism and its associated mechanisms for common applications
In doing so, it should consider:
- Implementer experience
- Demonstrated use of HTTP State Management Mechanism
- Impact on existing implementations and deployments
- Ability to achieve broad implementation.
- Ability to address broader use cases than may be contemplated by the original authors.
The Working Group’s specification deliverables are:
- A document that is suitable to supersede RFC 2965
- A document cataloging the security properties of HTTP State Management Mechanism
I think this is a scope that is manageable enough to actually have a chance to succeed and its planning is quite similar to that of the IETF httpbis group. Still, RFC2965 lists a huge pile of stuff that has never been implemented by anyone and even though it was a while since I did read that spec I also expect it to lack several things existing cookie parsers and senders already use. The notorious IE httpOnly is an example I can think of right now.