cookies - state management improvment from Rafal Pietrak on 2021-03-22 (ietf-http-wg@w3.org from January to March 2021)

From: Rafal Pietrak <cookie.rp@ztk-rp.eu>
Date: Mon, 22 Mar 2021 12:30:20 +0100
To: ietf-http-wg@w3.org
Message-ID: <feb70c12-7841-776a-a9dd-defcc00ee7d4@ztk-rp.eu>

Hello the list,

Some time ago, I have submitted a draft proposal introducing way to
limit the visibility of cookies within user web-browser
(https://datatracker.ietf.org/doc/draft-pietrak-cookie-scope/).

I was informed by independent draft editor, that any proposal to ietf
standards does not get traction automatically by means of draft
publication (despite my first impression), but should rather be
introduced and discussed here on this list.

SO, I'd like to bring up a problem, which my proposal attempts to solve,
which is the following:

1. computer users - even unconciously - do focus on a particular work
context by selecting an application WEB/MAIL/DOC/etc.

2. this goes somewhat further, when user selects DOC context (working
with word processor), but opens simultaneously different documents: an
annual financial report; a fragment of legal code; or user complain.

3. doing such work in "cloud" environment, this often means logging in
with different credentials to different systems:
corporate-internal-site, legal-firm-external, call-center-external.
Those sites will require different credentials to access them, but are
accessed "simultaneously" on side-by-side windows or tabs of a browser.

4. IT people do work with separate contexts like separate servers being
access by one person, again: often with different credentials.

5. Unfortunately, separate context in web-browser world is achieved by
separate URL - such separate "contexts" users work with simultaneously
using separate windows and/or tags-of-window. Separate windows/tabs
don't separate context as viewd from "state management" perspective -
cookies perspective.

6. on the other hand, cookies were devised for the purpose of "state
management", but since they are shared within a browser, one has to use
separate URL to allow for context separation at the level of login
session separation. This is neither aestetical nor insecure.

But I think that adding one optional attribute to cookies could support
context separation of web browser window tabs more elegant then unique
(and looking as random string) URL diversification.

I'd happily present more evidence and more arguments for the proposed
cookie attribute, should there be any interest on the list to
investigate the problem.

With best regards,

-- 
Rafał Pietrak

Received on Tuesday, 23 March 2021 10:34:34 UTC