RFC 2964 (rfc2964) - Page 1 of 8
Use of HTTP State Management
Alternative Format: Original Text Document
Network Working Group K. Moore
Request for Comments: 2964 University of Tennessee
BCP: 44 N. Freed
Category: Best Current Practice Innosoft
October 2000
Use of HTTP State Management
Status of this Memo
This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for
improvements. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
IESG Note
The IESG notes that this mechanism makes use of the .local top-level
domain (TLD) internally when handling host names that don't contain
any dots, and that this mechanism might not work in the expected way
should an actual .local TLD ever be registered.
Abstract
The mechanisms described in "HTTP State Management Mechanism" (RFC-
2965), and its predecessor (RFC-2109), can be used for many different
purposes. However, some current and potential uses of the protocol
are controversial because they have significant user privacy and
security implications. This memo identifies specific uses of
Hypertext Transfer Protocol (HTTP) State Management protocol which
are either (a) not recommended by the IETF, or (b) believed to be
harmful, and discouraged. This memo also details additional privacy
considerations which are not covered by the HTTP State Management
protocol specification.
1. Introduction
The HTTP State Management mechanism is both useful and controversial.
It is useful because numerous applications of HTTP benefit from the
ability to save state between HTTP transactions, without encoding
such state in URLs. It is controversial because the mechanism has
been used to accomplish things for which it was not designed and is
not well-suited. Some of these uses have attracted a great deal of
public criticism because they threaten to violate the privacy of web
Moore & Freed Best Current Practice
