Cookie Specification

The HTTP Working Group of the Internet Engineering Task Force (IETF) is in the process of standardizing what are often referred to as (Netscape) ``cookies.'' Cookies are a way for a server to sustain a stateful session by passing information back to a user agent; the user agent returns the information back to the server on its next visit.

Specification Status

RFC 2965 specifies the HTTP State Management Mechanism and is a Proposed Standard. RFC 2965 supersedes RFC 2109.

BCP 44, RFC 2964, Use of HTTP State Management, is an important adjunct to the cookie specification itself.

Official discussions of the cookie specifications occur on the HTTP-WG mailing list, but some more general discussions of HTTP State Management occur on the http-state mailing list.

Errata to RFC 2965

Discussions of errata to RFC 2965 are held on the revised HTTP State mailing list. This page tracks the issues under discussion.

Proxy Cookies

Work has begun to specify proxy cookies, which would maintain state between a proxy server and its nearest client.

More Information

You can examine the evolution of RFC 2965. Cookie Central has quite a collection of information about cookies. And there's another nice resource page with general information about cookies, including privacy. The Computer Incident Advisory Capability (CIAC) folks have posted a pretty good description of the risks of cookies from a computer intrusion standpoint. Finally, there's the book, ``cookies,'' by Simon St. Laurent, which discusses cookies, cookie applications, and the privacy aspects of cookies. McGraw-Hill. ISBN 0-07-050498-9.

I have written a paper, HTTP Cookies: Standards, Privacy, and Politics, which should be published during 2001 in an ACM journal. Here's the abstract:

How did we get from a world where cookies were something you ate and where ``non-techies'' were unaware of ``Netscape cookies'' to a world where cookies are a hot-button privacy issue for many computer users? This paper will describe how HTTP ``cookies'' work, and how Netscape's original specification evolved into an IETF Proposed Standard. I will also offer a personal perspective on how what began as a straightforward technical specification turned into a political flashpoint when it tried to address non-technical issues such as privacy.

Rajiv Shah is preparing a case study on cookies. Meanwhile, he has prepared a comprehensive list of links of background and technical information about cookies.

Netscape's ``Preliminary Specification'' for Persistent Client State HTTP Cookies.

For reference purposes, my original State-Info proposal, Proposed HTTP State-Info Mechanism (1995): [text]   [Postscript]

David M. Kristol, dmk@kristol.org
Last modified: March 28, 2006