RFC 2964 (rfc2964) - Page 2 of 8
Use of HTTP State Management
Alternative Format: Original Text Document
RFC 2964 Use of HTTP State Management October 2000
users, specifically by leaking potentially sensitive information to
third parties such as the Web sites a user has visited. There are
also other uses of HTTP State Management which are inappropriate even
though they do not threaten user privacy.
This memo therefore identifies uses of the HTTP State Management
protocol specified in RFC-2965 which are not recommended by the IETF,
or which are believed to be harmful and are therefore discouraged.
This document occasionally uses terms that appear in capital letters.
When the terms "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
appear capitalized, they are being used to indicate particular
requirements of this specification. A discussion of the meanings of
the terms "MUST", "SHOULD", and "MAY" appears in [RFC-1123]; the
terms "MUST NOT" and "SHOULD NOT" are logical extensions of this
usage.
2. Uses of HTTP State Management
The purpose of HTTP State Management is to allow an HTTP-based
service to create stateful "sessions" which persist across multiple
HTTP transactions. A single session may involve transactions with
multiple server hosts. Multiple client hosts may also be involved in
a single session when the session data for a particular user is
shared between client hosts (e.g., via a networked file system). In
other words, the "session" retains state between a "user" and a
"service", not between particular hosts.
It's important to realize that similar capabilities may also be
achieved using the "bare" HTTP protocol, and/or dynamically-generated
HTML, without the State Management extensions. For example, state
information can be transmitted from the service to the user by
embedding a session identifier in one or more URLs which appear in
HTTP redirects, or dynamically generated HTML; and the state
information may be returned from the user to the service when such
URLs appear in a GET or POST request. HTML forms can also be used to
pass state information from the service to the user and back, without
the user being aware of this happening.
However, the HTTP State Management facility does provide an increase
in functionality over ordinary HTTP and HTML. In practice, this
additional functionality includes:
(1) The ability to exchange URLs between users, of resources
accessed during stateful sessions, without leaking the state
information associated with those sessions. (e.g. "Here's the
URL for the FooCorp web catalog entry for those sandals that
you wanted.")
Moore & Freed Best Current Practice