メインコンテンツまでスキップ

5. ユーザーエージェント要件 (User_Agent_Requirements)

This section specifies the Cookie and Set-Cookie headers in sufficient detail that a user agent implementing these requirements precisely can interoperate with existing servers (even those that do not conform to the well-behaved profile described in Section 4).

A user agent could enforce more restrictions than those specified herein (e.g., for the sake of improved security); however, experiments have shown that such strictness reduces the likelihood that a user agent will be able to interoperate with existing servers.

5.1. Subcomponent Algorithms

This section defines some algorithms used by user agents to process specific subcomponents of the Cookie and Set-Cookie headers.

5.1.1. Dates

The user agent MUST use an algorithm equivalent to the following algorithm to parse a cookie-date. Note that the various boolean flags defined as a part of the algorithm (i.e., found-time, found- day-of-month, found-month, found-year) are initially "not set".

cookie-date = *delimiter date-token-list delimiter date-token-list = date-token ( 1delimiter date-token ) date-token = 1non-delimiter

delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA / %x7F-FF non-digit = %x00-2F / %x3A-FF

day-of-month = 1*2DIGIT ( non-digit *OCTET ) month = ( "jan" / "feb" / "mar" / "apr" / "may" / "jun" / "jul" / "aug" / "sep" / "oct" / "nov" / "dec" ) OCTET year = 24DIGIT ( non-digit *OCTET ) time = hms-time ( non-digit OCTET ) hms-time = time-field ":" time-field ":" time-field time-field = 12DIGIT

appear in the cookie-date:

time production, set the found-time flag and set the hour- value, minute-value, and second-value to the numbers denoted by the digits in the date-token, respectively. Skip the remaining sub-steps and continue to the next date-token.

matches the day-of-month production, set the found-day-of- month flag and set the day-of-month-value to the number denoted by the date-token. Skip the remaining sub-steps and continue to the next date-token.

the month production, set the found-month flag and set the month-value to the month denoted by the date-token. Skip the remaining sub-steps and continue to the next date-token.

the year production, set the found-year flag and set the year-value to the number denoted by the date-token. Skip the remaining sub-steps and continue to the next date-token.

equal to 99, increment the year-value by 1900.

equal to 69, increment the year-value by 2000.

differently.

  • at least one of the found-day-of-month, found-month, found- year, or found-time flags is not set,

  • the day-of-month-value is less than 1 or greater than 31,

  • the year-value is less than 1601,

  • the hour-value is greater than 23,

  • the minute-value is greater than 59, or

  • the second-value is greater than 59.

(Note that leap seconds cannot be represented in this syntax.)

year, hour, minute, and second (in UTC) are the day-of-month- value, the month-value, the year-value, the hour-value, the minute-value, and the second-value, respectively. If no such date exists, abort these steps and fail to parse the cookie-date.

5.1.2. Canonicalized Host Names

A canonicalized host name is the string generated by the following algorithm:

labels.

to an A-label (see Section 2.3.2.1 of [RFC5890] for the former and latter), or to a "punycode label" (a label resulting from the "ToASCII" conversion in Section 4 of [RFC3490]), as appropriate (see Section 6.3 of this specification).

character.

5.1.3. Domain Matching

A string domain-matches a given domain string if at least one of the following conditions hold:

o The domain string and the string are identical. (Note that both the domain string and the string will have been canonicalized to lower case at this point.)

o All of the following conditions hold:

  • The domain string is a suffix of the string.

  • The last character of the string that is not included in the domain string is a %x2E (".") character.

  • The string is a host name (i.e., not an IP address).

5.1.4. Paths and Path-Match

The user agent MUST use an algorithm equivalent to the following algorithm to compute the default-path of a cookie:

portion exists (and empty otherwise). For example, if the request-uri contains just a path (and optional query string), then the uri-path is that path (without the %x3F ("?") character or query string), and if the request-uri contains a full absoluteURI, the uri-path is the path component of that URI.

path is not a %x2F ("/") character, output %x2F ("/") and skip the remaining steps.

output %x2F ("/") and skip the remaining step.

to, but not including, the right-most %x2F ("/").

A request-path path-matches a given cookie-path if at least one of the following conditions holds:

o The cookie-path and the request-path are identical.

o The cookie-path is a prefix of the request-path, and the last character of the cookie-path is %x2F ("/").

o The cookie-path is a prefix of the request-path, and the first character of the request-path that is not included in the cookie- path is a %x2F ("/") character.

5.2. The Set-Cookie Header

When a user agent receives a Set-Cookie header field in an HTTP response, the user agent MAY ignore the Set-Cookie header field in its entirety. For example, the user agent might wish to block responses to "third-party" requests from setting cookies (see Section 7.1).

If the user agent does not ignore the Set-Cookie header field in its entirety, the user agent MUST parse the field-value of the Set-Cookie header field as a set-cookie-string (defined below).

NOTE: The algorithm below is more permissive than the grammar in Section 4.1. For example, the algorithm strips leading and trailing whitespace from the cookie name and value (but maintains internal whitespace), whereas the grammar in Section 4.1 forbids whitespace in these positions. User agents use this algorithm so as to interoperate with servers that do not follow the recommendations in Section 4.

A user agent MUST use an algorithm equivalent to the following algorithm to parse a "set-cookie-string":

The name-value-pair string consists of the characters up to, but not including, the first %x3B (";"), and the unparsed- attributes consist of the remainder of the set-cookie-string (including the %x3B (";") in question).

Otherwise:

The name-value-pair string consists of all the characters contained in the set-cookie-string, and the unparsed- attributes is the empty string.

ignore the set-cookie-string entirely.

to, but not including, the first %x3D ("=") character, and the (possibly empty) value string consists of the characters after the first %x3D ("=") character.

string and the value string.

entirely.

value string.

The user agent MUST use an algorithm equivalent to the following algorithm to parse the unparsed-attributes:

these steps.

will be a %x3B (";") character).

character:

Consume the characters of the unparsed-attributes up to, but not including, the first %x3B (";") character.

Otherwise:

Consume the remainder of the unparsed-attributes.

Let the cookie-av string be the characters consumed in this step.

The (possibly empty) attribute-name string consists of the characters up to, but not including, the first %x3D ("=") character, and the (possibly empty) attribute-value string consists of the characters after the first %x3D ("=") character.

Otherwise:

The attribute-name string consists of the entire cookie-av string, and the attribute-value string is empty.

name string and the attribute-value string.

requirements in the following subsections. (Notice that attributes with unrecognized attribute-names are ignored.)

When the user agent finishes parsing the set-cookie-string, the user agent is said to "receive a cookie" from the request-uri with name cookie-name, value cookie-value, and attributes cookie-attribute- list. (See Section 5.3 for additional requirements triggered by receiving a cookie.)

5.2.1. The Expires Attribute

If the attribute-name case-insensitively matches the string "Expires", the user agent MUST process the cookie-av as follows.

Let the expiry-time be the result of parsing the attribute-value as cookie-date (see Section 5.1.1).

If the attribute-value failed to parse as a cookie date, ignore the cookie-av.

If the expiry-time is later than the last date the user agent can represent, the user agent MAY replace the expiry-time with the last representable date.

If the expiry-time is earlier than the earliest date the user agent can represent, the user agent MAY replace the expiry-time with the earliest representable date.

Append an attribute to the cookie-attribute-list with an attribute- name of Expires and an attribute-value of expiry-time.

5.2.2. The Max-Age Attribute

If the attribute-name case-insensitively matches the string "Max- Age", the user agent MUST process the cookie-av as follows.

If the first character of the attribute-value is not a DIGIT or a "-" character, ignore the cookie-av.

If the remainder of attribute-value contains a non-DIGIT character, ignore the cookie-av.

Let delta-seconds be the attribute-value converted to an integer.

If delta-seconds is less than or equal to zero (0), let expiry-time be the earliest representable date and time. Otherwise, let the expiry-time be the current date and time plus delta-seconds seconds.

Append an attribute to the cookie-attribute-list with an attribute- name of Max-Age and an attribute-value of expiry-time.

5.2.3. The Domain Attribute

If the attribute-name case-insensitively matches the string "Domain", the user agent MUST process the cookie-av as follows.

If the attribute-value is empty, the behavior is undefined. However, the user agent SHOULD ignore the cookie-av entirely.

If the first character of the attribute-value string is %x2E ("."):

Let cookie-domain be the attribute-value without the leading %x2E (".") character.

Otherwise:

Let cookie-domain be the entire attribute-value.

Convert the cookie-domain to lower case.

Append an attribute to the cookie-attribute-list with an attribute- name of Domain and an attribute-value of cookie-domain.

5.2.4. The Path Attribute

If the attribute-name case-insensitively matches the string "Path", the user agent MUST process the cookie-av as follows.

If the attribute-value is empty or if the first character of the attribute-value is not %x2F ("/"):

Let cookie-path be the default-path.

Otherwise:

Let cookie-path be the attribute-value.

Append an attribute to the cookie-attribute-list with an attribute- name of Path and an attribute-value of cookie-path.

5.2.5. The Secure Attribute

If the attribute-name case-insensitively matches the string "Secure", the user agent MUST append an attribute to the cookie-attribute-list with an attribute-name of Secure and an empty attribute-value.

5.2.6. The HttpOnly Attribute

If the attribute-name case-insensitively matches the string "HttpOnly", the user agent MUST append an attribute to the cookie- attribute-list with an attribute-name of HttpOnly and an empty attribute-value.

5.3. Storage Model

The user agent stores the following fields about each cookie: name, value, expiry-time, domain, path, creation-time, last-access-time, persistent-flag, host-only-flag, secure-only-flag, and http-only- flag.

When the user agent "receives a cookie" from a request-uri with name cookie-name, value cookie-value, and attributes cookie-attribute- list, the user agent MUST process the cookie as follows:

example, the user agent might wish to block receiving cookies from "third-party" responses or the user agent might not wish to store cookies that exceed some size.

Set the creation-time and the last-access-time to the current date and time.

attribute-name of "Max-Age":

Set the cookie's persistent-flag to true.

Set the cookie's expiry-time to attribute-value of the last attribute in the cookie-attribute-list with an attribute-name of "Max-Age".

Otherwise, if the cookie-attribute-list contains an attribute with an attribute-name of "Expires" (and does not contain an attribute with an attribute-name of "Max-Age"):

Set the cookie's persistent-flag to true.

Set the cookie's expiry-time to attribute-value of the last attribute in the cookie-attribute-list with an attribute-name of "Expires".

Otherwise:

Set the cookie's persistent-flag to false.

Set the cookie's expiry-time to the latest representable date.

attribute-name of "Domain":

Let the domain-attribute be the attribute-value of the last attribute in the cookie-attribute-list with an attribute-name of "Domain".

Otherwise:

Let the domain-attribute be the empty string.

the domain-attribute is a public suffix:

If the domain-attribute is identical to the canonicalized request-host:

Let the domain-attribute be the empty string.

Otherwise:

Ignore the cookie entirely and abort these steps.

NOTE: A "public suffix" is a domain that is controlled by a public registry, such as "com", "co.uk", and "pvt.k12.wy.us". This step is essential for preventing attacker.com from disrupting the integrity of example.com by setting a cookie with a Domain attribute of "com". Unfortunately, the set of public suffixes (also known as "registry controlled domains") changes over time. If feasible, user agents SHOULD use an up-to-date public suffix list, such as the one maintained by the Mozilla project at http://publicsuffix.org/.

If the canonicalized request-host does not domain-match the domain-attribute:

Ignore the cookie entirely and abort these steps.

Otherwise:

Set the cookie's host-only-flag to false.

Set the cookie's domain to the domain-attribute.

Otherwise:

Set the cookie's host-only-flag to true.

Set the cookie's domain to the canonicalized request-host.

attribute-name of "Path", set the cookie's path to attribute- value of the last attribute in the cookie-attribute-list with an attribute-name of "Path". Otherwise, set the cookie's path to the default-path of the request-uri.

attribute-name of "Secure", set the cookie's secure-only-flag to true. Otherwise, set the cookie's secure-only-flag to false.

attribute-name of "HttpOnly", set the cookie's http-only-flag to true. Otherwise, set the cookie's http-only-flag to false.

cookie's http-only-flag is set, abort these steps and ignore the cookie entirely.

domain, and path as the newly created cookie:

domain, and path as the newly created cookie. (Notice that this algorithm maintains the invariant that there is at most one such cookie.)

API and the old-cookie's http-only-flag is set, abort these steps and ignore the newly created cookie entirely.

match the creation-time of the old-cookie.

A cookie is "expired" if the cookie has an expiry date in the past.

The user agent MUST evict all expired cookies from the cookie store if, at any time, an expired cookie exists in the cookie store.

At any time, the user agent MAY "remove excess cookies" from the cookie store if the number of cookies sharing a domain field exceeds some implementation-defined upper bound (such as 50 cookies).

At any time, the user agent MAY "remove excess cookies" from the cookie store if the cookie store exceeds some predetermined upper bound (such as 3000 cookies).

When the user agent removes excess cookies from the cookie store, the user agent MUST evict cookies in the following priority order:

number of other cookies.

If two cookies have the same removal priority, the user agent MUST evict the cookie with the earliest last-access date first.

When "the current session is over" (as defined by the user agent), the user agent MUST remove from the cookie store all cookies with the persistent-flag set to false.

5.4. The Cookie Header

The user agent includes stored cookies in the Cookie HTTP request header.

When the user agent generates an HTTP request, the user agent MUST NOT attach more than one Cookie header field.

A user agent MAY omit the Cookie header in its entirety. For example, the user agent might wish to block sending cookies during "third-party" requests from setting cookies (see Section 7.1).

If the user agent does attach a Cookie header field to an HTTP request, the user agent MUST send the cookie-string (defined below) as the value of the header field.

The user agent MUST use an algorithm equivalent to the following algorithm to compute the "cookie-string" from a cookie store and a request-uri:

meets all of the following requirements:

  • Either:

    The cookie's host-only-flag is true and the canonicalized request-host is identical to the cookie's domain.

    Or:

    The cookie's host-only-flag is false and the canonicalized request-host domain-matches the cookie's domain.

  • The request-uri's path path-matches the cookie's path.

  • If the cookie's secure-only-flag is true, then the request- uri's scheme must denote a "secure" protocol (as defined by the user agent).

    NOTE: The notion of a "secure" protocol is not defined by this document. Typically, user agents consider a protocol secure if the protocol makes use of transport-layer

    security, such as SSL or TLS. For example, most user agents consider "https" to be a scheme that denotes a secure protocol.

  • If the cookie's http-only-flag is true, then exclude the cookie if the cookie-string is being generated for a "non- HTTP" API (as defined by the user agent).

order:

  • Cookies with longer paths are listed before cookies with shorter paths.

  • Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times.

NOTE: Not all user agents sort the cookie-list in this order, but this order reflects common practice when this document was written, and, historically, there have been servers that (erroneously) depended on this order.

the current date and time.

cookie in the cookie-list in order:

cookie's value.

the characters %x3B and %x20 ("; ").

NOTE: Despite its name, the cookie-string is actually a sequence of octets, not a sequence of characters. To convert the cookie-string (or components thereof) into a sequence of characters (e.g., for presentation to the user), the user agent might wish to try using the UTF-8 character encoding [RFC3629] to decode the octet sequence. This decoding might fail, however, because not every sequence of octets is valid UTF-8.

最終更新