HTTP State Management Mechanism (RFC2109)
Original Publication Date: 1997-Feb-01
Included in the Prior Art Database: 2019-Feb-15
Internet Society Requests For Comment (RFCs)
D. Kristol: AUTHOR [+1]
This document specifies a way to create a stateful session with HTTP requests and responses. It describes two new headers, Cookie and Set- Cookie, which carry state information between participating origin servers and user agents. The method described here differs from Netscape's Cookie proposal, but it can interoperate with HTTP/1.0 user agents that use Netscape's method. [STANDARDS-TRACK]
Network Working Group D. Kristol Request for Comments: 2109 Bell Laboratories, Lucent Technologies Category: Standards Track L. Montulli Netscape Communications February 1997
HTTP State Management Mechanism
Status of this Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
This document specifies a way to create a stateful session with HTTP requests and responses. It describes two new headers, Cookie and Set-Cookie, which carry state information between participating origin servers and user agents. The method described here differs from Netscape’s Cookie proposal, but it can interoperate with HTTP/1.0 user agents that use Netscape’s method. (See the HISTORICAL section.)
The terms user agent, client, server, proxy, and origin server have the same meaning as in the HTTP/1.0 specification.
Fully-qualified host name (FQHN) means either the fully-qualified domain name (FQDN) of a host (i.e., a completely specified domain name ending in a top-level domain such as .com or .uk), or the numeric Internet Protocol (IP) address of a host. The fully qualified domain name is preferred; use of numeric IP addresses is strongly discouraged.
The terms request-host and request-URI refer to the values the client would send to the server as, respectively, the host (but not port) and abs_path portions of the absoluteURI (http_URL) of the HTTP request line. Note that request-host must be a FQHN.
Kristol & Montulli Standards Track [Page 1]
RFC 2109 HTTP State Management Mechanism February 1997
Hosts names can be specified either as an IP address or a FQHN string. Sometimes we compare one host name with another. Host A’s name domain-matches host B’s if
* both host names are IP addresses and their host name strings match exactly; or
* both host names are FQDN strings and their host name strings match exactly; or
* A is a FQDN string and has the form NB, where N is a non-empty name string, B has the form .B’, and B’ is a FQDN string. (So, x.y.com domain-matches .y.com but not y.com.)
Note that domain-match is not a commutative operation: a.b.c.com domain-matches .c.com, but not the reverse.
Because it was used in Netscape’s original implementation of state management, we will use the term cookie to refer to the state information that passes between an origin server and user agent, and that gets stored by the user agent.
3. STATE AND SESSIONS
This document describes a way to create stateful sessions with HTTP requests and responses. Currently, HTTP servers respond to each client request without relating that request to previous or subsequent requests; the technique allows clients and servers that wish to exchange state information to place HTTP requests and re...