Re: Some half-baked thoughts about cookies. from Mark Nottingham on 2018-08-15 (ietf-http-wg@w3.org from July to September 2018)

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 15 Aug 2018 14:36:59 +1000
To: Mike West <mkwst@google.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <FFE3C4C7-210B-4BE1-9A45-23B60A01D32C@mnot.net>

Hi Mike,

On 14 Aug 2018, at 8:38 pm, Mike West <mkwst@google.com> wrote:
> 
> Hey folks,
> 
> https://github.com/mikewest/http-state-tokens suggests that we should introduce a client-controlled, origin-bound, HTTPS-only session identifier for network-level state management. And eventually deprecate cookies.
> 
> I think there's a conversation here worth having, and this group has thought a lot about the space over the last decade or two. I'd appreciate y'all's feedback, both about the problems the document discusses with regard to cookies as they exist today, and about the sketchy proposal it advances about managing HTTP state in the future.

This reminds me very much of a proposal from Apple that was floating around a few years ago. Do you remember the source? I can dig around if you don't.

I think the pushback at the time was that it didn't have significantly better privacy properties as compared to cookies. Looking at what you've written, it seems like you're trying to "reset the defaults" for cookies more than anything -- i.e., make them origin-scoped, secure, etc. out of the box.

Personally I think that's a worthy goal, for the same reasons that you point out at the top of the doc; current security mechanisms are getting abysmally low deployment.

By it's nature, this is a very long-term process (much as the transition to HTTPS is, although hopefully less painful). It's probably premature to speculate about how exactly the transition will happen (in terms of incentives), but *some* sense that it's at least possible would be good. Maybe the HTTPS transition is proof enough.

Overall, I personally think this is worth pursuing, as long as we understand it's a very long-term thing.

One specific thing -- requiring a single token that's generated by the client precludes a server using this to distribute state to load balancers, CDNs, etc. for various purposes, which is a fairly common pattern. I suspect that the current design is going to create friction against deployment as a result; it effectively places all state at the origin.

Cheers,

--
Mark Nottingham   https://www.mnot.net/

Received on Wednesday, 15 August 2018 04:37:31 UTC