RFC 6265 - HTTP State Management Mechanism
Publication Date: April 2011
Author: A. Barth (U.C. Berkeley)
Status: Standards Track
Obsoletes: RFC 2965
Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. These header fields can be used by HTTP servers to store state (called cookies) at HTTP user agents, letting the servers maintain a stateful session over the mostly stateless HTTP protocol. Although cookies have many historical infelicities that degrade their security and privacy, the Cookie and Set-Cookie header fields are widely used on the Internet. This document obsoletes RFC 2965.
Table of Contents
- 1. Introduction
- 2. Conventions
- 2.1. Conformance Criteria
- 2.2. Syntax Notation
- 2.3. Terminology
- 3. Overview
- 3.1. Examples
- 4. Server Requirements
- 4.1. Set-Cookie
- 4.2. Cookie
- 5. User Agent Requirements
- 5.1. Subcomponent Algorithms
- 5.2. The Set-Cookie Header
- 5.3. Storage Model
- 5.4. The Cookie Header
- 6. Implementation Considerations
- 6.1. Limits
- 6.2. Application Programming Interfaces
- 6.3. IDNA Dependency and Migration
- 7. Privacy Considerations
- 7.1. Third-Party Cookies
- 7.2. User Controls
- 7.3. Expiration Dates
- 8. Security Considerations
- 8.1. Overview
- 8.2. Ambient Authority
- 8.3. Clear Text
- 8.4. Session Identifiers
- 8.5. Weak Confidentiality
- 8.6. Weak Integrity
- 8.7. Reliance on DNS
- 9. IANA Considerations
- 9.1. Cookie
- 9.2. Set-Cookie
- 9.3. Cookie2
- 9.4. Set-Cookie2
- 10. References
- 10.1. Normative References
- 10.2. Informative References
Appendices
Resources
- Official RFC: RFC 6265
- DataTracker: RFC 6265 DataTracker
- Errata: RFC Editor Errata