Message Signatures and Cookies

Hello HTTPbis Working Group,

Let's talk about cookies. :) Specifically, let's talk about signing individual cookies, rather than the whole `Cookie` header field.

Why would an application need to do that? Consider a web application that uses a `session-id` cookie to represent session state, and uses JavaScript to make requests from the user agent back to the application's web server.


  1.  The web server sits behind a load balancer that uses a cookie to support sticky sessions, and the load balancer strips that cookie from requests before forwarding them to the application servers.
  2.  The web server is actually a "serverless" application platform that processes the HTTP request and presents it to the web application's code in a structured format that does not preserve details such as exact ordering of cookies in the request.
  3.  There are one or more cookies with the HttpOnly flag set, such that JavaScript code does not have access to every cookie that will be sent by the browser.
  4.  The JavaScript code may not know the order in which the browser will present cookies in the `Cookies` header field.

I propose addressing this by introducing another special message component identifier, `@cookie`, which MUST have a `name` parameter, whose value indicates the name of the cookie to be signed. The value of this message component is the value of the named cookie, encoded as a structured field string. So for cookie named "cookie-flavor" with value "Chocolate Chip", the signature input would look like this:

"@cookie";name="cookie-flavor": "Chocolate Chip"

I'd like to get input on a few open questions before I go write this up in the draft (or abort, if the input is along the lines of "OMG DO NOT DO THIS"):


  1.  Are there compelling reasons why this simply won't work?

  2.  This syntax is clunky, but it's the best I've been able to come up with given that cookie names can contain characters that are not allowed within structured field keys. (e.g., upper-case letters) Any suggestions on improving it?
     *   One nasty thing about this syntax is that the `name` parameter has to be required, because you can't simply create a dictionary of cookie name to cookie value within structured fields.

  3.  This feels perilously close to defining a "Structured Cookies" format. Is there interest in doing that? Cookie3, anyone? ;)

  4.  Even if we give question #2 a miss, is cookie signing complicated enough to warrant its own spec, as an extension to Message Signatures?

—
Annabelle Backman (she/her)
richanna@amazon.com<mailto:richanna@amazon.com>

Received on Friday, 24 September 2021 21:53:10 UTC