Protocol Action: Proposed HTTP State Management Mechanism to Proposed Standard from The IESG on 1996-12-02 (ietf-http-wg@w3.org from October to December 1996)

From: The IESG <iesg-secretary@ietf.org>
Date: Mon, 02 Dec 1996 18:25:03 -0500
To: IETF-Announce: ;, ietf.org@ics.uci.edu
Cc: RFC Editor <rfc-editor@isi.edu>
Cc: Internet Architecture Board <iab@isi.edu>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <9612021825.aa06097@ietf.org>

  The IESG has approved the Internet-Draft "Proposed HTTP State Management
  Mechanism" <draft-ietf-http-state-mgmt-05.txt, .ps> as a Proposed
  Standard. This document is the product of the HyperText Transfer Protocol
  Working Group. The IESG contact persons are Keith Moore and Harald
  Alvestrand.


Technical Summary

  This protocol extension defines a way for HTTP servers to ask clients
  to maintain "per-session" state for them.  This is accomplished by
  having the server encode state information in a "cookie" which is
  given to the client on an initial transaction, and which the client
  includes along with future transaction requests for a particular set
  of URIs (not necessarily to the same server as issued the original
  cookie).  Having clients keep state, especially across server
  boundaries, is somewhat controversial, since it can violate users'
  expectations of privacy.  However, state management can be
  accomplished even with vanilla HTTP by encoding "cookies" in URLs.
  Explicit HTTP support for state management is preferable to that
  alternative.

  The document attempts to explicitly address users' security and
  privacy concerns by: requiring clients to ignore server-supplied
  cookies in certain situations; insisting that (in certain
  circumstances) users be made aware of, and have control over, whether
  a cookie is sent to a server with a different domain than the server
  that provided the current page; and requiring that clients provide
  the user with certain mechanisms to know when a stateful session is
  in progress and/or to control whether and under what conditions
  cookies are being stored by the client.

  The document also defines mechanisms which allow a server to specify
  the behavior of HTTP caches with respect to state management
  information.

  The extension defined here is similar to the Netscape HTTP state
  management mechanism which is already in wide use; thus, the
  implications of using this extension are believed to be well
  understood.  The document includes advice for servers on how to
  interoperate with with user agents that use Netscape's method.

Working Group Summary

  There was significant working group discussion of both the protocol
  and the provisions for user privacy, but the group reached consensus
  on the current docuemnt.

Protocol Quality

  Keith Moore reviewed the spec for IESG.

Received on Monday, 2 December 1996 16:41:30 UTC