April King

Handling Cookies is a Minefield:

inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.

https://grayduck.mn/2024/11/21/handling-cookies-is-a-minefield/

April King — Handling Cookies is a Minefield

Discrepancies in how browsers and libraries handle HTTP cookies, and the problems caused by such things.

Nov 21, 2024 at 5:08pmWeb
Show threadOliver JensenNov 22, 2024

@april

> everything behaves differently, and it's a miracle that cookies work at all.

Sounds like the Internet 😅

Show threadGiorgio Maone 🚫✊🧅Nov 22, 2024
@april entertaining as much as terrifying read. Would have been very timely right at the end of the past month🦇🎃👻
Show threadSam Sneddon 🏳️‍⚧️Nov 22, 2024
@april this reminds me of years ago the HTTP WG being pretty reluctant to change cookies to actually match what web compat requires — and while some might want to argue “hey there’s loads of other HTTP stacks which aren’t reporting compatibility issues”, cookies are surely disproportionately used by browsers
Show threadBen RamseyNov 23, 2024

@april @krinkle Hahaha! I ran into this issue about 15 years ago and thought maybe the Cookie2 and Set-Cookie2 headers were the way to go (since they appear to resolve the value of the cookie), but literally no one ever used that header, so it’s deprecated, now.

https://www.rfc-editor.org/rfc/rfc2965
https://www.rfc-editor.org/rfc/rfc6265

RFC 2965: HTTP State Management Mechanism

Show threadignace nyamagana buteraNov 23, 2024
@ramsey @april @krinkle I think the new and better response is https://www.rfc-editor.org/rfc/rfc9651.html but for some reasons this as yet to gain traction in PHP 🤷
RFC 9651: Structured Field Values for HTTP

This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields. This document obsoletes RFC 8941.

Show threadBen RamseyNov 23, 2024
@nyamsprod @april @krinkle It appears it’s still very new. I’ve never heard of it, but I like what I see.
Show threadignace nyamagana buteraNov 23, 2024
@ramsey @april @krinkle its been there for almost 4 years and all new headers from Chrome to what not uses it already. I even created a PHP package for it . Working on v2 at the moment https://github.com/bakame-php/http-structured-fields
GitHub - bakame-php/http-structured-fields: Structured Field Values for HTTP manipulation in PHP

Structured Field Values for HTTP manipulation in PHP - bakame-php/http-structured-fields

GitHub
Show threadSam Sneddon 🏳️‍⚧️Nov 23, 2024
@ramsey @april @krinkle and Opera (Presto) was I think the only browser that supported it? but with no cookies being sent, that was bawucaklt useless.
Show threadGina Peter BanyardNov 23, 2024
@april opening an issue on the php-src GitHub repo might be a good idea so that someone (if not myself) looks into it for PHP.
Show threadignace nyamagana buteraNov 23, 2024
@april Hence why structured field RFC https://www.rfc-editor.org/rfc/rfc9651.html and https://httpwg.org/http-extensions/draft-ietf-httpbis-retrofit.html#name-cookies exist. To solve this type of security issues
RFC 9651: Structured Field Values for HTTP

This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields. This document obsoletes RFC 8941.

Show threaddaniel:// stenberg://Nov 23, 2024
@april I've tried. I've struggled. I've filed numerous issues. I've had very little success in trying to rectify several of the issues you list in there... 😞
Show threadfloyd aka floyd_chNov 23, 2024
@bagder @april this reminded me of http://seriot.ch/projects/parsing_json.html which is basically proof that as a community we also fail with newer standards unfortunately
Parsing JSON is a Minefield

Show threadSam Sneddon 🏳️‍⚧️Nov 23, 2024
@april the other thing that comes to mind recently is “SameSite=Lax” by default, which a bunch of docs and specs say is the case, but only Chrome has managed to ship it — both Firefox and Safari unshipped it, due to too much breakage, and the win is much smaller when cookies are partitioned and/or not sent cross-site/origin to start with
Show threadSeb-SolonNov 23, 2024
@april
Thanks, that's a very interesting article! Out of curiosity, did you keep track of the version of the programming languages used? It could be nice to do the exercise again in a couple of year to compare 😀
Show threadApril KingNov 23, 2024
@Seb_Solon I didn’t, although I probably should have. Most of those tests were over a year old, although I don’t think anything has changed in them.
Show threadTilde LowengrimmNov 23, 2024
@april Thanks for this great analysis! I hate it.