The HTTP Working Group
Internet Engineering Task Force (IETF)
is in the process of standardizing what are often referred to as
Cookies are a way for a server to sustain a stateful session by passing
information back to a user agent; the user agent returns the information
back to the server on its next visit.
specifies the HTTP State Management Mechanism
and is a Proposed Standard.
RFC 2965 supersedes
Use of HTTP State Management, is an important adjunct
to the cookie specification itself.
Official discussions of the cookie specifications occur on the
but some more general discussions of HTTP State Management
occur on the
http-state mailing list.
Errata to RFC 2965
Discussions of errata to RFC 2965 are held on the
revised HTTP State mailing list.
This page tracks the issues under discussion.
Work has begun to specify proxy cookies,
which would maintain state between a proxy server and its nearest
You can examine the evolution of RFC 2965.
has quite a collection of information about cookies.
And there's another nice
with general information about cookies, including privacy.
The Computer Incident Advisory Capability (CIAC) folks have posted a
pretty good description of the risks of cookies from a computer intrusion
Finally, there's the book, ``cookies,'' by Simon St. Laurent, which
discusses cookies, cookie applications, and the privacy aspects of cookies.
McGraw-Hill. ISBN 0-07-050498-9.
I have written a paper,
HTTP Cookies: Standards, Privacy, and Politics, which should be
published during 2001 in an ACM journal.
Here's the abstract:
How did we get from a world where cookies were something you ate and
where ``non-techies'' were unaware of ``Netscape cookies'' to a world where
cookies are a hot-button privacy issue for many computer users? This
paper will describe how HTTP ``cookies'' work, and how Netscape's
original specification evolved into an IETF Proposed Standard. I will
also offer a personal perspective on how what began as a
straightforward technical specification turned into a political
flashpoint when it tried to address non-technical issues such as
is preparing a case study on cookies.
Meanwhile, he has prepared a comprehensive
list of links
of background and technical information about cookies.
Specification'' for Persistent Client State HTTP Cookies.
For reference purposes, my original State-Info proposal,
Proposed HTTP State-Info Mechanism (1995):
David M. Kristol,
Last modified: March 28, 2006