HTTP State Management Mechanism (httpstate)
-------------------------------------------

 Charter
 Last Modified: 2010-04-21

 Current Status: Active Working Group

 Chair(s):
     Jeff Hodges  <Jeff.Hodges@kingsmountain.com>

 Applications Area Director(s):
     Alexey Melnikov  <alexey.melnikov@isode.com>
     Peter Saint-Andre  <stpeter@stpeter.im>

 Applications Area Advisor:
     Peter Saint-Andre  <stpeter@stpeter.im>

 Mailing Lists: 
     General Discussion:http-state@ietf.org
     To Subscribe:      https://www.ietf.org/mailman/listinfo/http-state
     Archive:           http://www.ietf.org/mail-archive/web/http-state/current/maillist.html

Description of Working Group:

The HTTP State Management Mechanism (aka Cookies) was originally
created by Netscape Communications in their informal Netscape cookie
specification ("cookie_spec.html"), from which formal specifications
RFC 2109 and RFC 2965 evolved. The formal specifications, however,
were never fully implemented in practice; RFC 2109, in addition to
cookie_spec.html, more closely resemble real-world implementations
than RFC 2965, even though RFC 2965 officially obsoletes the former.
Compounding the problem are undocumented features (such as HTTPOnly),
and varying behaviors among real-world implementations.

The working group will create a new RFC that:
 * obsoletes RFC 2109,
 * updates RFC 2965 to the extent it overlaps or voids RFC 2109, and
 * specifies Cookies as they are actually used in existing 
   implementations and deployments.

Where commonalities exist in the most widely used implementations, the
working group will specify the common behavior. Where differences exist 
among the most widely used implementations, the working group will 
document the variations and seek consensus to reduce variation by 
selecting among the most widely used variations.

The working group must not introduce any new syntax or new semantics
not already in common use.

The working group's specific deliverables are:
* A standards-track document that is suitable to supersede RFC 2109 
  (likely based on draft-abarth-cookie)
* An informational document cataloguing the differences between major
  implementations

In doing so, the working group should consider:

* cookie_spec.html - Netscape Cookie Specification
  
http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html
* RFC 2109 - HTTP State Management Mechanism (Obsoleted by RFC 2965)
   http://tools.ietf.org/html/rfc2109
* RFC 2964 - Use of HTTP State Management
   http://tools.ietf.org/html/rfc2964
* RFC 2965 - HTTP State Management Mechanism (Obsoletes RFC 2109)
   http://tools.ietf.org/html/rfc2965
* I-D - HTTP State Management Mechanism v2
   http://tools.ietf.org/html/draft-pettersen-cookie-v2
* I-D - Cookie-based HTTP Authentication
   http://tools.ietf.org/html/draft-broyer-http-cookie-auth
* Widely Implemented - HTTPOnly
   http://www.owasp.org/index.php/HTTPOnly
* Browser Security Handbook - Cookies
  
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
* HTTP Cookies: Standards, Privacy, and Politics by David M. Kristol
   http://arxiv.org/PS_cache/cs/pdf/0105/0105018v1.pdf

 Goals and Milestones:

   Mar 2010       Feature-complete Internet-Draft of Cookie specification 

   May 2010       Feature-complete test suite of Cookie specification 

   Jun 2010       Feature-complete draft of deviation description 

   Jul 2010       First fully conforming implementation in a major browser 

   Sep 2010       Last Call for Cookie specification 

   Oct 2010       Last Call for deviation description 

   Dec 2010       Second fully conforming implementation in a major browser 

   Jan 2011       Submit Cookie specification to IESG for consideration as a 
                Draft Standard 

   Jan 2011       Submit deviation description to IESG for consideration as 
                Informationa 

   Mar 2011       Close or recharter 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Jan 2010 Oct 2010   <draft-ietf-httpstate-cookie-16.txt>
                HTTP State Management Mechanism 

 Request For Comments:

  None to date.