SCS: KoanLogic's Secure Cookie Sessions for HTTP
RFC 6896
Document | Type |
RFC - Informational
(March 2013; Errata)
Was draft-secure-cookie-session-protocol (individual)
|
|
---|---|---|---|
Authors | Stefano Barbato , Steven Dorigotti , Thomas Fossati | ||
Last updated | 2020-01-21 | ||
Stream | ISE | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
IETF conflict review | conflict-review-secure-cookie-session-protocol | ||
Stream | ISE state | Published RFC | |
Consensus Boilerplate | Unknown | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 6896 (Informational) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Independent Submission S. Barbato Request for Comments: 6896 S. Dorigotti Category: Informational T. Fossati, Ed. ISSN: 2070-1721 KoanLogic March 2013 SCS: KoanLogic's Secure Cookie Sessions for HTTP Abstract This memo defines a generic URI and HTTP-header-friendly envelope for carrying symmetrically encrypted, authenticated, and origin- timestamped tokens. It also describes one possible usage of such tokens via a simple protocol based on HTTP cookies. Secure Cookie Session (SCS) use cases cover a wide spectrum of applications, ranging from distribution of authorized content via HTTP (e.g., with out-of-band signed URIs) to securing browser sessions with diskless embedded devices (e.g., Small Office, Home Office (SOHO) routers) or web servers with high availability or load- balancing requirements that may want to delegate the handling of the application state to clients instead of using shared storage or forced peering. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6896. Barbato, et al. Informational [Page 1] RFC 6896 SCS March 2013 Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Barbato, et al. Informational [Page 2] RFC 6896 SCS March 2013 Table of Contents 1. Introduction ....................................................4 2. Requirements Language ...........................................4 3. SCS Protocol ....................................................5 3.1. SCS Cookie Description .....................................5 3.1.1. ATIME ...............................................6 3.1.2. DATA ................................................6 3.1.3. TID .................................................7 3.1.4. IV ..................................................7 3.1.5. AUTHTAG .............................................7 3.2. Crypto Transform ...........................................8 3.2.1. Choice and Role of the Framing Symbol ...............8 3.2.2. Cipher Set ..........................................9 3.2.3. Compression .........................................9 3.2.4. Cookie Encoding .....................................9 3.2.5. Outbound Transform ..................................9 3.2.6. Inbound Transform ..................................10 3.3. PDU Exchange ..............................................12 3.3.1. Cookie Attributes ..................................12 3.3.1.1. Expires ...................................12 3.3.1.2. Max-Age ...................................12 3.3.1.3. Domain ....................................13 3.3.1.4. Secure ....................................13 3.3.1.5. HttpOnly ..................................13 4. Key Management and Session State ...............................13 5. Cookie Size Considerations .....................................15 6. Acknowledgements ...............................................15 7. Security Considerations ........................................15 7.1. Security of the Cryptographic Protocol ....................15 7.2. Impact of the SCS Cookie Model ............................16 7.2.1. Old Cookie Replay ..................................16 7.2.2. Cookie Deletion ....................................17 7.2.3. Cookie Sharing or Theft ............................18Show full document text