RFC 2109 (rfc2109) - Page 3 of 21


HTTP State Management Mechanism



Alternative Format: Original Text Document



RFC 2109            HTTP State Management Mechanism        February 1997


4.  OUTLINE

   We outline here a way for an origin server to send state information
   to the user agent, and for the user agent to return the state
   information to the origin server.  The goal is to have a minimal
   impact on HTTP and user agents.  Only origin servers that need to
   maintain sessions would suffer any significant impact, and that
   impact can largely be confined to Common Gateway Interface (CGI)
   programs, unless the server provides more sophisticated state
   management support.  (See Implementation Considerations, below.)

4.1  Syntax:  General

   The two state management headers, Set-Cookie and Cookie, have common
   syntactic properties involving attribute-value pairs.  The following
   grammar uses the notation, and tokens DIGIT (decimal digits) and
   token (informally, a sequence of non-special, non-white space
   characters) from the HTTP/1.1 specification [RFC 2068] to describe
   their syntax.

   av-pairs        =       av-pair *(";" av-pair)
   av-pair         =       attr ["=" value]        ; optional value
   attr            =       token
   value           =       word
   word            =       token | quoted-string

   Attributes (names) (attr) are case-insensitive.  White space is
   permitted between tokens.  Note that while the above syntax
   description shows value as optional, most attrs require them.

   NOTE: The syntax above allows whitespace between the attribute and
   the = sign.

4.2  Origin Server Role

4.2.1  General

   The origin server initiates a session, if it so desires.  (Note that
   "session" here does not refer to a persistent network connection but
   to a logical session created from HTTP requests and responses.  The
   presence or absence of a persistent connection should have no effect
   on the use of cookie-derived sessions).  To initiate a session, the
   origin server returns an extra response header to the client, Set-
   Cookie.  (The details follow later.)

   A user agent returns a Cookie request header (see below) to the
   origin server if it chooses to continue a session.  The origin server
   may ignore it or use it to determine the current state of the



Kristol & Montulli          Standards Track