This document specifies a way to create a stateful session with Hypertext Transfer Protocol (HTTP) requests and responses. It describes three new headers, Cookie, Cookie2, and Set-Cookie2, which carry state information between participating origin servers and user agents. The method described here differs from Netscape's Cookie proposal [Netscape], but it can interoperate with HTTP/1.0 user agents that use Netscape's method. (See the HISTORICAL section.)
RFC Downloads
Cited By
- Hough K, Welearegai G, Hammer C and Bell J Revealing injection vulnerabilities by leveraging existing tests Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, (284-296)
- Desai B IoT Proceedings of the 21st International Database Engineering & Applications Symposium, (82-89)
- Cahn A, Alfeld S, Barford P and Muthukrishnan S An Empirical Study of Web Cookies Proceedings of the 25th International Conference on World Wide Web, (891-901)
- Tappenden A and Miller J (2014). Automated cookie collection testing, ACM Transactions on Software Engineering and Methodology, 23:1, (1-40), Online publication date: 1-Feb-2014.
- Dacosta I, Chakradeo S, Ahamad M and Traynor P (2012). One-time cookies, ACM Transactions on Internet Technology, 12:1, (1-24), Online publication date: 1-Jun-2012.
- Liu A, Kovacs J and Gouda M (2019). A secure cookie scheme, Computer Networks: The International Journal of Computer and Telecommunications Networking, 56:6, (1723-1730), Online publication date: 1-Apr-2012.
- Johns M, Braun B, Schrank M and Posegga J Reliable protection against session fixation attacks Proceedings of the 2011 ACM Symposium on Applied Computing, (1531-1537)
- Al-Sinani H, Alrodhan W and Mitchell C CardSpace-liberty integration for CardSpace users Proceedings of the 9th Symposium on Identity and Trust on the Internet, (12-25)
- Pautasso C and Wilde E Why is the web loosely coupled? Proceedings of the 18th international conference on World wide web, (911-920)
- Tappenden A and Miller J (2009). Cookies, ACM Transactions on the Web (TWEB), 3:3, (1-49), Online publication date: 1-Jun-2009.
- Huynh T and Miller J (2009). Empirical observations on the session timeout threshold, Information Processing and Management: an International Journal, 45:5, (513-528), Online publication date: 1-Sep-2009.
- Guo R, Zhu B, FENG M, PAN A and ZHOU B Compoweb Proceedings of the 17th international conference on World Wide Web, (545-554)
- Gajek S, Liao L and Schwenk J Stronger TLS bindings for SAML assertions and SAML artifacts Proceedings of the 2008 ACM workshop on Secure web services, (11-20)
- Barth A, Jackson C and Mitchell J Robust defenses for cross-site request forgery Proceedings of the 15th ACM conference on Computer and communications security, (75-88)
- Wang H, Fan X, Howell J and Jackson C Protection and communication abstractions for web browsers in MashupOS Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, (1-16)
- Wang H, Fan X, Howell J and Jackson C (2007). Protection and communication abstractions for web browsers in MashupOS, ACM SIGOPS Operating Systems Review, 41:6, (1-16), Online publication date: 14-Oct-2007.
- Wetherall D (2019). 10 Networking Papers, ACM SIGCOMM Computer Communication Review, 36:3, (77-78), Online publication date: 5-Jul-2006.
- De Grande R and Zorzo S Privacy protection without impairing personalization by using the extended system MASKS and the extended contextualized P3P privacy policies Proceedings of the 12th Brazilian Symposium on Multimedia and the web, (89-98)
- Linn J (2005). Technology and Web User Data Privacy, IEEE Security and Privacy, 3:1, (52-58), Online publication date: 1-Jan-2005.
- Canfora G, Di Santo G, Venturi G, Zimeo E and Zito M Migrating web application sessions in mobile computing Special interest tracks and posters of the 14th international conference on World Wide Web, (1166-1167)
- Margasiński I and Szczypiorski K VAST Enhanced methods in computer security, biometric and artificial intelligence systems, (71-82)
- Zhao C, Chen Y, Xu D, Heilili N and Lin Z Integrative security management for web-based enterprise applications Proceedings of the 6th international conference on Advances in Web-Age Information Management, (618-625)
- Park J and Krishnan H Trusted identity and session management using secure cookies Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security, (310-324)
- Straub T, Ginkel T and Buchmann J A multipurpose delegation proxy for WWW credentials Proceedings of the Second European conference on Public Key Infrastructure, (1-21)
- Mogul J (2019). Clarifying the fundamentals of HTTP, Software—Practice & Experience, 34:2, (103-134), Online publication date: 1-Feb-2004.
- Sirer E and Wang K An access control language for web services Proceedings of the seventh ACM symposium on Access control models and technologies, (23-30)
- Alsaid A and Martin D Detecting web bugs with bugnosis Proceedings of the 2nd international conference on Privacy enhancing technologies, (13-26)
- Goldberg I Privacy-enhancing technologies for the internet, II Proceedings of the 2nd international conference on Privacy enhancing technologies, (1-12)
- Mogul J Clarifying the fundamentals of HTTP Proceedings of the 11th international conference on World Wide Web, (25-36)
- Fu K, Sit E, Smith K and Feamster N Dos and don'ts of client authentication on the web Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
- Park J and Sandhu R (2000). Secure Cookies on the Web, IEEE Internet Computing, 4:4, (36-44), Online publication date: 1-Jul-2000.
Recommendations
HTTP Cookies: Standards, privacy, and politics
How did we get from a world where cookies were something you ate and where "nontechies" were unaware of "Netscape cookies" to a world where cookies are a hot-button privacy issue for many computer users? This article describes how HTTP "cookies" work ...
An automatic HTTP cookie management system
HTTP cookies have been widely used for maintaining session states, personalizing, authenticating, and tracking user behaviors. Despite their importance and usefulness, cookies have raised public concerns on Internet privacy because they can be exploited ...