Re: new cookie draft from M. Hedlund on 1997-03-20 (ietf-http-wg@w3.org from January to March 1997)

From: M. Hedlund <hedlund@best.com>
Date: Thu, 20 Mar 1997 11:03:13 -0800 (PST)
To: Koen Holtman <koen@win.tue.nl>
Cc: http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.SGI.3.95.970320103332.13858C-100000@shellx.best.com>

On Thu, 20 Mar 1997, Koen Holtman wrote:
> >1) I'll drop the "same port" requirement.  (Cookies can return to any
> >port on any host to which they could otherwise legitimately be sent.)
> 
> Dropping this requirement opens a significant security hole, because not all
> servers on the same host need to be run by the same people.  Others have
> called this a `marginal case', but I do not want to ignore it: really tiny
> sites need security too.

In defense of my assertion that this is a marginal case:

The only case in which we would need a port restriction would be when two
Web servers are running on the same host with the same server name but
different port numbers: 

	+ If domain is not specified in the set-cookie, it defaults to
	  request host and can meet the conditions listed above; and in this
	  case, we should consider a port restriction. 

	+ If domain is specified, though, the cookie can be sent to any
	  server in the domain given, so a port restriction makes no sense: 
	  one could start a server in the specified domain on the same port
	  but a different host, and get around a port restriction. 

	+ Finally, if two servers are on the same physical host but run
	  under different server names (using vitrual hosting)  -- which is,
	  I would guess, a more common case than the first -- this problem
	  does not arise, so again a port restriction makes no sense. 

It is unlikely (though not impossible) that a privacy- or security-
sensitive application would be run under the first case: on a host where
others could set up a server with the same name but a different port
number.  I still think it is a marginal case. 

I certainly agree, however, that "really tiny sites need security too," and
would be more than happy to try to improve the port restriction if it is
important to you or others. 

> Domain Selection 
>      The origin server's fully-qualified host name must domain-match the
>      Domain attribute of the cookie.  If the cookie does not explicitely
>      specify a Domain attribute, the origin server's port number must
>      equal the port number of the server that sent the cookie.

This seems reasonable to me, although we're getting into the realm of weird
implicit behavior again.  My impulse is to suggest that the 'secure'
keyword trigger a same-port restriction (which would have a side effect of
making 'secure'-labelled SSL-transmitted cookies, which will likely come
from port 443, returnable to port 443 only ......hmm) but I suspect that's
not going to mesh well with a variety of 'secure' techniques.  The reason I
suggest it is that then a keyword indicates a higher level of resturction,
rather than a default setting on an option attribute (domain). 

M. Hedlund <hedlund@best.com>

Received on Thursday, 20 March 1997 11:20:12 UTC