Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 471Back to Cookies!2“Cookies”Invented by Netscape, included in Netscape version 0.9β (September, 1994)Patent applied for in 1995, granted 1998.Quote from original Netscape publication: “The state object is called a cookie, for no compelling reason.”Formalized in RFC 2109, February, 1997, which has minor differences from the original Netscape proposal.3RFC 2109 HTTP State Management Mechanism1. Abstract2. Terminology4RFC 2109 HTTP State Management Mechanism - continued2. TERMINOLOGY► client – an application program that establishes connections for the purpose of sending requests(could be a proxy)► user agent – the client that initiates a request, usually a browser.► server► proxy► origin server – the server on which a given resource resides.► fully-qualified domain name (FQDN)52. TERMINOLOGY - continued► request-host► request-URI (Universal Resource Identifier)www.mylab.org/cgi-bin/sampleform request-host request-URIURL:62. TERMINOLOGY - continued► domain-matchHost A’s name domain-matches host B’s if► their names or IP addresses match exactly► A is a FDQN string and has the form NB, where N is a non-empty string, B has the form .B and B is a FQDNExamples: ► www.amazon.com domain matches .amazon.com ► www.amazon.com does not domain-match amazon.comN B7RFC 2109 HTTP State Management Mechanism1. Abstract2. Terminology3. State and Sessions83. STATE AND SESSIONSDefinition of session1. Each session has a beginning and an end.2. Each session is relatively short-lived.3. Session is started by the origin server4. Either the user-agent or the origin server may terminate a session5. The session is implicit in the exchange of state information(there is no special message to start or stop a session).An HTTP session may contain several TCP sessionsInformally: a session might include access to a catalog, selection of purchase items into a shopping cart, checkout, and acknowledgement of purchase.9RFC 2109 HTTP State Management Mechanism1. Abstract2. Terminology3. State and Sessions4. Outline4.1 Syntax4.2 Origin Server Role4.3 User Agent Role104. OUTLINEOrigin server sends state information (cookie) to the user agentUser agent returns state information to origin server.The goal is to have minimal impact on HTTP (i.e. an add-on to HTTP)Impact will be confined to Common Gateway Interface (CGI) programs.4.1 Syntax: GeneralLet’s learn it as we go along!114.2 Origin Server Role4.2.1 GeneralThe origin server (surprising!) initiates a session, if it so desires.To initiate a session, the origin server returns an extra response header to the client,Set-CookieA user agent returns a Cookie request header to the origin server (if the user agent chooses to continue the session).User agents should send Cookie request headers (subject to other rules detailed below) with every request.Servers may return a Set-Cookie header with any response (not necessarily every response).The origin server may include multiple Set-Cookie headers in a response.124. OUTLINE – continued4.2.2 Set-Cookie SyntaxAt least one cookieZero or more attribute-value pairsNetscape version had “expires”If “Version” missing, defaults to Netscape13Example: Wireshark trace of response to user keying in www.amazon.com (from Lab session 8)Hypertext Transfer Protocol HTTP/1.1 302\r\n Response Code: 302 Date: Fri, 08 Oct 2004 18:24:09 GMT\r\n Server: Stronghold/2.4.2 Apache/1.3.6 C2NetEU/2412 (Unix) amarewrite/0.1 mod_fastcgi/2.2.12\r\nSet-Cookie: session-id-time=1097827200; path=/; domain= .amazon.com; expires=Friday, 15-Oct-2004 08:00:00 GMT\r\nSet-Cookie: session-id=103-3915387-7090229; path=/; domain= .amazon.com; expires=Friday, 15-Oct-2004 08:00:00 GMT\r\nLocation: http://www.amazon.com/exec/obidos/subst/home/home.html/103- 3915387-7090229\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n \r\nNetscape version “version” missing144. OUTLINE - continued4.3 User Agent Role4.3.1 Interpreting the Set-CookieThe user agent keeps separate track of state information that arrives via Set-Cookie response headers from each origin server.The user agent applies these defaults for optional attributes that are missing:► Version – defaults to “old cookie” behavior as originally specified by Netscape.► Domain – defaults to the request-host.► Max-Age – the default behavior is to discard the cookie when the user-agent exits.► Path – defaults to the path of the request URL that generated the Set-Cookie response.15When the user agent sends a request to an origin server, the user agent includes a Cookie request header if it has applicable cookies, based on:► the request-host (defined earlier) – Domain SelectionAND► the request URI (defined earlier) – Path SelectionAND► the cookie’s age – Max-Age selectionwww.mylab.org/cgi-bin/sampleform request-host request-URI4. OUTLINE – continued4.3 User Agent Role – continued4.3.4 Sending Cookies to the Origin server164. OUTLINE – continued4.3.4 Sending Cookies to the Origin Server - continuedDomain selection:The origin server’s FQDN must domain-match the domain attribute of the cookie174. OUTLINE – continued4.3.4 Sending Cookies to the Origin Server - continuedPath Selection:The path attribute of the cookie must match a prefix of the request-URI184. OUTLINE – continued4.3.4 Sending Cookies to the Origin Server - continuedMax-Age Selection:Cookies that have expired should have been discarded and not sent.19RFC 2109 HTTP State Management Mechanism1. Abstract2. Terminology3. State and Sessions4. Outline4.1 Syntax4.2 Origin Server Role4.3 User Agent Role5.Examples20Example: Wireshark trace of response to user keying in www.amazon.com (from Lab session 8)Hypertext Transfer Protocol HTTP/1.1 302\r\n Response Code: 302 Date: Fri, 08 Oct 2004 18:24:09 GMT\r\n Server: Stronghold/2.4.2 Apache/1.3.6 C2NetEU/2412 (Unix) amarewrite/0.1 mod_fastcgi/2.2.12\r\nSet-Cookie: session-id-time=1097827200; path=/;