Network Working Group                                            K. Moore
Request for Comments: 2964                        University of Tennessee
BCP: 44                                                          N. Freed
Category: Best Current Practice                                  Innosoft
                                                             October 2000
        
Network Working Group                                            K. Moore
Request for Comments: 2964                        University of Tennessee
BCP: 44                                                          N. Freed
Category: Best Current Practice                                  Innosoft
                                                             October 2000
        

Use of HTTP State Management

HTTP状态管理的使用

Status of this Memo

本备忘录的状况

This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited.

本文件规定了互联网社区的最佳现行做法,并要求进行讨论和提出改进建议。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2000). All Rights Reserved.

版权所有(C)互联网协会(2000年)。版权所有。

IESG Note

IESG注释

The IESG notes that this mechanism makes use of the .local top-level domain (TLD) internally when handling host names that don't contain any dots, and that this mechanism might not work in the expected way should an actual .local TLD ever be registered.

IESG指出,当处理不包含任何点的主机名时,此机制在内部使用.local顶级域(TLD),并且如果实际注册了.local TLD,此机制可能无法以预期方式工作。

Abstract

摘要

The mechanisms described in "HTTP State Management Mechanism" (RFC-2965), and its predecessor (RFC-2109), can be used for many different purposes. However, some current and potential uses of the protocol are controversial because they have significant user privacy and security implications. This memo identifies specific uses of Hypertext Transfer Protocol (HTTP) State Management protocol which are either (a) not recommended by the IETF, or (b) believed to be harmful, and discouraged. This memo also details additional privacy considerations which are not covered by the HTTP State Management protocol specification.

“HTTP状态管理机制”(RFC-2965)及其前身(RFC-2109)中描述的机制可用于许多不同的目的。然而,该协议的一些当前和潜在用途是有争议的,因为它们对用户隐私和安全有重大影响。本备忘录确定了超文本传输协议(HTTP)状态管理协议的具体用途,这些协议(a)不是IETF推荐的,或者(b)被认为是有害的,不鼓励使用。此备忘录还详细说明了HTTP状态管理协议规范未涵盖的其他隐私注意事项。

1. Introduction
1. 介绍

The HTTP State Management mechanism is both useful and controversial. It is useful because numerous applications of HTTP benefit from the ability to save state between HTTP transactions, without encoding such state in URLs. It is controversial because the mechanism has been used to accomplish things for which it was not designed and is not well-suited. Some of these uses have attracted a great deal of public criticism because they threaten to violate the privacy of web

HTTP状态管理机制既有用又有争议。它很有用,因为许多HTTP应用程序都能在HTTP事务之间保存状态,而无需在URL中对这种状态进行编码。这是有争议的,因为这种机制被用来完成它没有被设计出来并且不太适合的事情。其中一些用途已经引起了大量的公众批评,因为它们有可能侵犯网络隐私

users, specifically by leaking potentially sensitive information to third parties such as the Web sites a user has visited. There are also other uses of HTTP State Management which are inappropriate even though they do not threaten user privacy.

用户,特别是通过向第三方泄露潜在的敏感信息,如用户访问过的网站。HTTP状态管理还有其他不合适的用途,即使它们不会威胁用户隐私。

This memo therefore identifies uses of the HTTP State Management protocol specified in RFC-2965 which are not recommended by the IETF, or which are believed to be harmful and are therefore discouraged.

因此,本备忘录确定了RFC-2965中规定的HTTP状态管理协议的使用,IETF不推荐使用该协议,或者认为该协议有害,因此不鼓励使用该协议。

This document occasionally uses terms that appear in capital letters. When the terms "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" appear capitalized, they are being used to indicate particular requirements of this specification. A discussion of the meanings of the terms "MUST", "SHOULD", and "MAY" appears in [RFC-1123]; the terms "MUST NOT" and "SHOULD NOT" are logical extensions of this usage.

本文档偶尔使用大写字母表示的术语。当术语“必须”、“不得”、“应该”、“不应该”和“可能”出现大写时,它们用于表示本规范的特殊要求。[RFC-1123]中对术语“必须”、“应该”和“可能”的含义进行了讨论;术语“不得”和“不应”是此用法的逻辑扩展。

2. Uses of HTTP State Management
2. HTTP状态管理的使用

The purpose of HTTP State Management is to allow an HTTP-based service to create stateful "sessions" which persist across multiple HTTP transactions. A single session may involve transactions with multiple server hosts. Multiple client hosts may also be involved in a single session when the session data for a particular user is shared between client hosts (e.g., via a networked file system). In other words, the "session" retains state between a "user" and a "service", not between particular hosts.

HTTP状态管理的目的是允许基于HTTP的服务创建有状态的“会话”,这些会话在多个HTTP事务中持续存在。单个会话可能涉及与多个服务器主机的事务。当特定用户的会话数据在客户端主机之间共享时(例如,通过网络文件系统),单个会话中也可能涉及多个客户端主机。换句话说,“会话”保留“用户”和“服务”之间的状态,而不是特定主机之间的状态。

It's important to realize that similar capabilities may also be achieved using the "bare" HTTP protocol, and/or dynamically-generated HTML, without the State Management extensions. For example, state information can be transmitted from the service to the user by embedding a session identifier in one or more URLs which appear in HTTP redirects, or dynamically generated HTML; and the state information may be returned from the user to the service when such URLs appear in a GET or POST request. HTML forms can also be used to pass state information from the service to the user and back, without the user being aware of this happening.

重要的是要认识到,在没有状态管理扩展的情况下,也可以使用“裸”HTTP协议和/或动态生成的HTML来实现类似的功能。例如,通过将会话标识符嵌入出现在HTTP重定向或动态生成的HTML中的一个或多个url中,可以将状态信息从服务传输给用户;当这些url出现在GET或POST请求中时,状态信息可以从用户返回到服务。HTML表单还可以用于将状态信息从服务传递给用户,然后再传递给用户,而用户不会意识到这一点。

However, the HTTP State Management facility does provide an increase in functionality over ordinary HTTP and HTML. In practice, this additional functionality includes:

然而,HTTP状态管理工具确实提供了比普通HTTP和HTML更多的功能。实际上,此附加功能包括:

(1) The ability to exchange URLs between users, of resources accessed during stateful sessions, without leaking the state information associated with those sessions. (e.g. "Here's the URL for the FooCorp web catalog entry for those sandals that you wanted.")

(1) 能够在用户之间交换URL,在有状态会话期间访问的资源的URL,而不会泄漏与这些会话相关的状态信息。(例如,“这是您想要的那些凉鞋的FooCorp web目录条目的URL。”)

(2) The ability to maintain session state without "cache-busting". That is, separating the session state from the URL allows a web cache to maintain only a single copy of the named resource. If the state is maintained in session-specific URLs, the cache would likely have to maintain several identical copies of the resource.

(2) 在没有“缓存破坏”的情况下维护会话状态的能力。也就是说,将会话状态与URL分离允许web缓存仅维护命名资源的单个副本。如果状态是在特定于会话的URL中维护的,则缓存可能必须维护资源的多个相同副本。

(3) The ability to implement sessions with minimal server configuration and minimal protocol overhead, as compared to other techniques of maintaining session state.

(3) 与维护会话状态的其他技术相比,能够以最小的服务器配置和最小的协议开销实现会话。

(4) The ability to associate the user with session state whenever a user accesses the service, regardless of whether the user enters through a particular "home page" or "portal".

(4) 无论用户是通过特定的“主页”还是“门户”进入,只要用户访问服务,就可以将用户与会话状态关联起来。

(5) The ability to save session information in stable storage, so that a "session" can be maintained across client invocations, system reboots, and client or system crashes.

(5) 将会话信息保存在稳定存储中的能力,以便可以跨客户端调用、系统重新启动以及客户端或系统崩溃维护“会话”。

2.1. Recommended Uses
2.1. 推荐用途

Use of HTTP State Management is appropriate whenever it is desirable to maintain state between a user and a service across multiple HTTP transactions, provided that:

只要需要跨多个HTTP事务维护用户和服务之间的状态,就可以使用HTTP状态管理,前提是:

(1) the user is aware that session state is being maintained and consents to it,

(1) 用户知道正在维护会话状态并同意该状态,

(2) the user has the ability to delete the state associated with such a session at any time,

(2) 用户能够随时删除与该会话相关联的状态,

(3) the information obtained through the ability to track the user's usage of the service is not disclosed to other parties without the user's explicit consent, and

(3) 未经用户明确同意,通过跟踪用户使用服务的能力获得的信息不会披露给其他方,以及

(4) session information itself cannot contain sensitive information and cannot be used to obtain sensitive information that is not otherwise available to an eavesdropper.

(4) 会话信息本身不能包含敏感信息,也不能用于获取窃听者无法获得的敏感信息。

This last point is important because cookies are usually sent in the clear and hence are readily available to eavesdroppers.

最后一点很重要,因为Cookie通常以明文形式发送,因此窃听者很容易获得。

An example of such a recommended use would be a "shopping cart", where the existence of the shopping cart is explicitly made known to the user, the user can explicitly "empty" his or her shopping cart (either by requesting that it be emptied or by purchasing those

这种推荐使用的一个例子是“购物车”,其中用户明确地知道购物车的存在,用户可以明确地“清空”他或她的购物车(通过请求清空购物车或通过购买购物车)

items) and thus cause the shared state to be discarded, and the service asserts that it will not disclose the user's shopping or browsing habits to third parties without the user's consent.

项目),从而导致共享状态被丢弃,服务声称,未经用户同意,不会向第三方披露用户的购物或浏览习惯。

Note that the HTTP State Management protocol effectively allows a service provider to refuse to provide a service, or provide a reduced level of service, if the user or a user's client fails to honor a request to maintain session state. Absent legal prohibition to the contrary, the server MAY refuse to provide the service, or provide a reduced level of service, under these conditions. As a purely practical consideration, services designed to utilize HTTP State Management may be unable to function properly if the client does not provide it. Such servers SHOULD gracefully handle such conditions and explain to the user why the full level of service is not available.

请注意,HTTP状态管理协议有效地允许服务提供商拒绝提供服务,或在用户或用户的客户端未能满足维护会话状态的请求时提供降低的服务级别。如果没有相反的法律禁止,在这些条件下,服务器可能拒绝提供服务,或提供降低的服务水平。纯粹出于实际考虑,如果客户机不提供HTTP状态管理,则设计用于利用HTTP状态管理的服务可能无法正常运行。此类服务器应优雅地处理此类情况,并向用户解释为什么无法提供完整级别的服务。

2.2. Problematic Uses
2.2. 有问题的用途

The following uses of HTTP State Management are deemed inappropriate and contrary to this specification:

HTTP状态管理的以下用途被视为不合适且违反本规范:

2.2.1. Leakage of Information to Third Parties
2.2.1. 向第三方泄露信息

HTTP State Management MUST NOT be used to leak information about the user or the user's browsing habits to other parties besides the user or service, without the user's explicit consent. Such usage is prohibited even if the user's name or other externally-assigned identifier are not exposed to other parties, because the state management mechanism itself provides an identifier which can be used to compile information about the user.

未经用户明确同意,不得使用HTTP状态管理将有关用户或用户浏览习惯的信息泄露给用户或服务以外的其他方。即使用户名或其他外部分配的标识符未向其他方公开,也禁止此类使用,因为状态管理机制本身提供了一个标识符,可用于编译有关用户的信息。

Because such practices encourage users to defeat HTTP State Management mechanisms, they tend to reduce the effectiveness of HTTP State Management, and are therefore considered detrimental to the operation of the web.

由于这种做法鼓励用户破坏HTTP状态管理机制,因此它们往往会降低HTTP状态管理的有效性,因此被认为对web的运行有害。

2.2.2. Use as an Authentication Mechanism
2.2.2. 用作身份验证机制

It is generally inappropriate to use the HTTP State Management protocol as an authentication mechanism. HTTP State Management is not designed with such use in mind, and safeguards for protection of authentication credentials are lacking in both the protocol specification and in widely deployed HTTP clients and servers. Most HTTP sessions are not encrypted and "cookies" may therefore be exposed to passive eavesdroppers. Furthermore, HTTP clients and servers typically store "cookies" in cleartext with little or no protection against exposure. HTTP State Management therefore SHOULD

使用HTTP状态管理协议作为身份验证机制通常是不合适的。HTTP状态管理的设计并没有考虑到这种使用,协议规范和广泛部署的HTTP客户端和服务器中都缺乏保护身份验证凭据的保护措施。大多数HTTP会话都没有加密,“cookie”因此可能会暴露给被动窃听者。此外,HTTP客户机和服务器通常以明文形式存储“cookie”,很少或根本没有防止暴露的保护。因此,HTTP状态管理应该

NOT be used as an authentication mechanism to protect information from being exposed to unauthorized parties, even if the HTTP sessions are encrypted.

不能用作身份验证机制,以防止信息暴露给未经授权的方,即使HTTP会话已加密。

The prohibition against using HTTP State Management for authentication includes both its use to protect information which is provided by the service, and its use to protect potentially sensitive information about the user which is entrusted to the service's care. For example, it would be inappropriate to expose a user's name, address, telephone number, or billing information to a client that merely presented a cookie which had been previously associated with the user.

禁止使用HTTP状态管理进行身份验证,包括使用HTTP状态管理来保护服务提供的信息,以及使用HTTP状态管理来保护委托服务管理的用户的潜在敏感信息。例如,将用户的姓名、地址、电话号码或账单信息公开给只提供了以前与用户关联的cookie的客户机是不合适的。

Similarly, HTTP State Management SHOULD NOT be used to authenticate user requests if unauthorized requests might have undesirable side-effects for the user, unless the user is aware of the potential for such side-effects and explicitly consents to such use. For example, a service which allowed a user to order merchandise with a single "click", based entirely on the user's stored "cookies", could inconvenience the user by requiring her to dispute charges to her credit card, and/or return the unwanted merchandise, in the event that the cookies were exposed to third parties.

类似地,如果未经授权的请求可能会对用户产生不良的副作用,则不应使用HTTP状态管理对用户请求进行身份验证,除非用户意识到此类副作用的可能性并明确同意此类使用。例如,一项服务允许用户完全基于用户存储的“cookies”通过一次“点击”订购商品,如果cookies暴露给第三方,则可能会要求用户对信用卡收费提出异议和/或退回不需要的商品,从而给用户带来不便。

Some uses of HTTP State Management to identify users may be relatively harmless, for example, if the only information which can be thus exposed belongs to the service, and the service will suffer little harm from the exposure of such information.

使用HTTP状态管理来识别用户的某些用途可能相对无害,例如,如果因此可以公开的唯一信息属于该服务,并且该服务将不会因此类信息的公开而受到什么伤害。

3. User Interface Considerations for HTTP State Management
3. HTTP状态管理的用户界面注意事项

HTTP State Management has been very controversial because of its potential to expose information about a user's browsing habits to third parties, without the knowledge or consent of the user. While such exposure is possible, this is less a flaw in the protocol itself than a failure of HTTP client implementations (and of some providers of HTTP-based services) to protect users' interests.

HTTP状态管理一直备受争议,因为它可能会在用户不知情或不同意的情况下,将用户浏览习惯的信息泄露给第三方。虽然这种暴露是可能的,但这与其说是协议本身的缺陷,不如说是HTTP客户端实现(以及一些基于HTTP的服务提供商)未能保护用户的利益。

As implied above, there are other ways to maintain session state than using HTTP State Management, and therefore other ways in which users' browsing habits can be tracked. Indeed, it is difficult to imagine how the HTTP protocol or an HTTP client could actually prevent a service from disclosing a user's "click trail" to other parties if the service chose to do so. Protection of such information from inappropriate exposure must therefore be the responsibility of the service. HTTP client implementations inherently cannot provide such protection, though they can implement countermeasures which make it more difficult for HTTP State Management to be used as the mechanism by which such information is exposed.

如上所述,除了使用HTTP状态管理之外,还有其他维护会话状态的方法,因此也有其他跟踪用户浏览习惯的方法。事实上,很难想象HTTP协议或HTTP客户端如何实际阻止服务向其他方披露用户的“点击痕迹”(如果服务选择这样做)。因此,服务部门必须负责保护此类信息不被不当暴露。HTTP客户机实现本身无法提供这种保护,尽管它们可以实现对策,这使得HTTP状态管理更难以用作公开此类信息的机制。

It is arguable that HTTP clients should provide more protection in general against inappropriate exposure of tracking information, regardless of whether the exposure were facilitated by use of HTTP State Management or by some other means. However, issues related to other mechanisms are beyond the scope of this memo.

有争议的是,HTTP客户端通常应该提供更多的保护,以防止不适当地暴露跟踪信息,而不管这种暴露是通过使用HTTP状态管理还是通过某些其他方式来实现的。然而,与其他机制有关的问题超出了本备忘录的范围。

3.1. Capabilities Required of an HTTP Client
3.1. HTTP客户端所需的功能

A user's willingness to consent to use of HTTP State Management is likely to vary from one service to another, according to whether the user trusts the service to use the information appropriately and to limit its exposure to other parties. The user therefore SHOULD be able to control whether his client supports a service's request to use HTTP State Management, on a per-service basis. In particular:

用户同意使用HTTP状态管理的意愿可能因服务而异,这取决于用户是否信任服务适当使用信息并限制其对其他方的暴露。因此,用户应该能够控制其客户端是否支持服务的请求,以便在每个服务的基础上使用HTTP状态管理。特别地:

(1) Clients MUST NOT respond to HTTP State Management requests unless explicitly enabled by the user.

(1) 除非用户明确启用,否则客户端不得响应HTTP状态管理请求。

(2) Clients SHOULD provide an effective interface which allows users to review, and approve or refuse, any particular requests from a server to maintain state information, before the client provides any state information to the server.

(2) 客户端应提供一个有效的界面,允许用户在客户端向服务器提供任何状态信息之前,审查、批准或拒绝来自服务器的任何特定请求,以维护状态信息。

(3) Clients SHOULD provide an effective interface which allows users to instruct their clients to ignore all requests from a particular service to maintain state information, on a per-service basis, immediately in response to any particular request from a server, before the client provides any state information to the server.

(3) 客户机应提供一个有效的界面,允许用户指示其客户机忽略来自特定服务的所有请求,以便在客户机向服务器提供任何状态信息之前,立即根据每个服务维护状态信息,以响应来自服务器的任何特定请求。

(4) Clients SHOULD provide an effective interface which allows a user to disable future transmission of any state information to a service, and/or discard any saved state information for that service, even though the user has previously approved a service's request to maintain state information.

(4) 客户端应提供一个有效的界面,允许用户禁用将来向服务传输任何状态信息,和/或丢弃该服务保存的任何状态信息,即使用户先前已批准服务维护状态信息的请求。

(5) Clients SHOULD provide an effective interface which allows a user to terminate a previous request not to retain state management information for a given service.

(5) 客户端应该提供一个有效的接口,允许用户终止以前的请求,而不保留给定服务的状态管理信息。

3.2. Limitations of the domain-match algorithm
3.2. 域匹配算法的局限性

The domain-match algorithm in RFC-2965 section 2 is intended as a heuristic to allow a client to "guess" whether or not two domains are part of the same service. There are few rules about how domain names can be used, and the structure of domain names and how they are delegated varies from one top-level domain to another (i.e. the client cannot tell which part of the domain was assigned to the

RFC-2965第2节中的域匹配算法是一种启发式算法,允许客户端“猜测”两个域是否属于同一服务。关于如何使用域名的规则很少,域名的结构以及如何委托域名在不同的顶级域名之间也有所不同(即,客户无法分辨域名的哪个部分被分配给了客户)

service). Therefore NO string comparison algorithm (including the domain-match algorithm) can be relied on to distinguish a domain that belongs to a particular service, from a domain that belongs to another party.

服务)。因此,不能依靠字符串比较算法(包括域匹配算法)来区分属于特定服务的域和属于另一方的域。

As stated above, each service is ultimately responsible for ensuring that user information is not inappropriately leaked to third parties. Leaking information to third parties via State Management by careful selection of domain names, or by assigning domain names to hosts maintained by third parties, is at least as inappropriate as leaking the same information by other means.

如上所述,每项服务最终负责确保用户信息不会不适当地泄露给第三方。通过国家管理,通过仔细选择域名,或通过将域名分配给第三方维护的主机,向第三方泄露信息,至少与通过其他方式泄露相同信息一样不合适。

4. Security Considerations
4. 安全考虑

This entire memo is about security considerations.

整个备忘录都是关于安全考虑的。

5. Authors' Addresses
5. 作者地址

Keith Moore University of Tennessee Computer Science Department 1122 Volunteer Blvd, Suite 203 Knoxville TN, 37996-3450

基思穆尔田纳西大学计算机科学系1122志愿者BLVD,203诺克斯维尔TN套房,37 964-3550

   EMail: moore@cs.utk.edu
        
   EMail: moore@cs.utk.edu
        

Ned Freed Innosoft International, Inc. 1050 Lakes Drive West Covina, CA 81790

Ned Freed Innosoft International,Inc.加利福尼亚州西科维纳湖大道1050号,邮编81790

   EMail: ned.freed@innosoft.com
        
   EMail: ned.freed@innosoft.com
        
6. References
6. 工具书类

[RFC 1123] Braden, R., "Requirements for Internet Hosts -- Application and Support", STD 3, RFC 1123, October 1989.

[RFC 1123]Braden,R.,“互联网主机的要求——应用和支持”,STD 3,RFC 1123,1989年10月。

[RFC 2965] Kristol, D. and L. Montulli, "HTTP State Management Mechanism", RFC 2965, October 2000.

[RFC 2965]Kristol,D.和L.Montulli,“HTTP状态管理机制”,RFC 2965,2000年10月。

[RFC 2109] Kristol, D. and L. Montulli, "HTTP State Management Mechanism", RFC 2109, February 1997.

[RFC 2109]Kristol,D.和L.Montulli,“HTTP状态管理机制”,RFC 2109,1997年2月。

7. Full Copyright Statement
7. 完整版权声明

Copyright (C) The Internet Society (2000). All Rights Reserved.

版权所有(C)互联网协会(2000年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。