session-continuation-spec.html

<!DOCTYPE html
  PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html lang="en"><head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Hypertext Transport Protocol (HTTP) Session Continuation Protocol</title><style type="text/css" title="Xml2Rfc (sans serif)">
a {
  text-decoration: none;
}
a.smpl {
  color: black;
}
a:hover {
  text-decoration: underline;
}
a:active {
  text-decoration: underline;
}
address {
  margin-top: 1em;
  margin-left: 2em;
  font-style: normal;
}
body {
  color: black;
  font-family: verdana, helvetica, arial, sans-serif;
  font-size: 10pt;
  margin-right: 2em;
}
cite {
  font-style: normal;
}
dl {
  margin-left: 2em;
}
ul.empty {
  list-style-type: none;
}
ul.empty li {
  margin-top: .5em;
}
dl p {
  margin-left: 0em;
}
dt {
  margin-top: .5em;
}
h1 {
  font-size: 14pt;
  line-height: 21pt;
  page-break-after: avoid;
}
h1.np {
  page-break-before: always;
}
h1 a {
  color: #333333;
}
h2 {
  font-size: 12pt;
  line-height: 15pt;
  page-break-after: avoid;
}
h3, h4, h5, h6 {
  font-size: 10pt;
  page-break-after: avoid;
}
h2 a, h3 a, h4 a, h5 a, h6 a {
  color: black;
}
img {
  margin-left: 3em;
}
li {
  margin-left: 2em;
}
ol {
  margin-left: 2em;
}
ol.la {
  list-style-type: lower-alpha;
}
ol.ua {
  list-style-type: upper-alpha;
}
ol p {
  margin-left: 0em;
}
p {
  margin-left: 2em;
}
pre {
  margin-left: 3em;
  background-color: lightyellow;
  padding: .25em;
  page-break-inside: avoid;
}
pre.text2 {
  border-style: dotted;
  border-width: 1px;
  background-color: #f0f0f0;
  width: 69em;
}
pre.inline {
  background-color: white;
  padding: 0em;
}
pre.text {
  border-style: dotted;
  border-width: 1px;
  background-color: #f8f8f8;
  width: 69em;
}
pre.drawing {
  border-style: solid;
  border-width: 1px;
  background-color: #f8f8f8;
  padding: 2em;
}
table {
  margin-left: 2em;
}
table.header {
  border-spacing: 1px;
  width: 95%;
  font-size: 10pt;
  color: white;
}
td.top {
  vertical-align: top;
}
td.topnowrap {
  vertical-align: top;
  white-space: nowrap; 
}
table.header td {
  background-color: gray;
  width: 50%;
}
table.header a {
  color: white;
}
td.reference {
  vertical-align: top;
  white-space: nowrap;
  padding-right: 1em;
}
thead {
  display:table-header-group;
}
ul.toc, ul.toc ul {
  list-style: none;
  margin-left: 1.5em;
  padding-left: 0em;
}
ul.toc li {
  line-height: 150%;
  font-weight: bold;
  font-size: 10pt;
  margin-left: 0em;
}
ul.toc li li {
  line-height: normal;
  font-weight: normal;
  font-size: 9pt;
  margin-left: 0em;
}
li.excluded {
  font-size: 0pt;
}
ul p {
  margin-left: 0em;
}

.comment {
  background-color: yellow;
}
.center {
  text-align: center;
}
.error {
  color: red;
  font-style: italic;
  font-weight: bold;
}
.figure {
  font-weight: bold;
  text-align: center;
  font-size: 9pt;
}
.filename {
  color: #333333;
  font-weight: bold;
  font-size: 12pt;
  line-height: 21pt;
  text-align: center;
}
.fn {
  font-weight: bold;
}
.hidden {
  display: none;
}
.left {
  text-align: left;
}
.right {
  text-align: right;
}
.title {
  color: #990000;
  font-size: 18pt;
  line-height: 18pt;
  font-weight: bold;
  text-align: center;
  margin-top: 36pt;
}
.vcardline {
  display: block;
}
.warning {
  font-size: 14pt;
  background-color: yellow;
}


@media print {
  .noprint {
    display: none;
  }
  
  a {
    color: black;
    text-decoration: none;
  }

  table.header {
    width: 90%;
  }

  td.header {
    width: 50%;
    color: black;
    background-color: white;
    vertical-align: top;
    font-size: 12pt;
  }

  ul.toc a::after {
    content: leader('.') target-counter(attr(href), page);
  }
  
  ul.ind li li a {
    content: target-counter(attr(href), page);
  }
  
  .print2col {
    column-count: 2;
    -moz-column-count: 2;
    column-fill: auto;
  }
}

@page {
  @top-left {
       content: "Internet-Draft"; 
  } 
  @top-right {
       content: "January 2013"; 
  } 
  @top-center {
       content: "HTTP Session Problem"; 
  } 
  @bottom-left {
       content: "Williams"; 
  } 
  @bottom-center {
       content: "Expires July 5, 2013"; 
  } 
  @bottom-right {
       content: "[Page " counter(page) "]"; 
  } 
}

@page:first { 
    @top-left {
      content: normal;
    }
    @top-right {
      content: normal;
    }
    @top-center {
      content: normal;
    }
}
</style><link rel="Contents" href="#rfc.toc"><link rel="Author" href="#rfc.authors"><link rel="Copyright" href="#rfc.copyrightnotice"><link rel="Chapter" title="1 Introduction" href="#rfc.section.1"><link rel="Chapter" title="2 Session Keying" href="#rfc.section.2"><link rel="Chapter" title="3 Session Initiation" href="#rfc.section.3"><link rel="Chapter" title="4 Session Scope: Sharing Sessions Across Servers" href="#rfc.section.4"><link rel="Chapter" title="5 Unauthenticated to Authenticated Session Upgrade" href="#rfc.section.5"><link rel="Chapter" title="6 Session Continuation" href="#rfc.section.6"><link rel="Chapter" title="7 Logout" href="#rfc.section.7"><link rel="Chapter" title="8 Inquiring Session Status" href="#rfc.section.8"><link rel="Chapter" title="9 Analysis" href="#rfc.section.9"><link rel="Chapter" title="10 IANA Considerations" href="#rfc.section.10"><link rel="Chapter" title="11 Security Considerations" href="#rfc.section.11"><link rel="Chapter" href="#rfc.section.12" title="12 References"><meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.580, 2012-06-03 11:18:18, XSLT vendor: SAXON 9.0.0.4 from Saxonica http://www.saxonica.com/"><meta name="keywords" content="Internet-Draft"><link rel="schema.dct" href="http://purl.org/dc/terms/"><meta name="dct.creator" content="Williams, N."><meta name="dct.identifier" content="urn:ietf:id:draft-williams-websec-session-continue-proto-00"><meta name="dct.issued" scheme="ISO8601" content="2013-01-01"><meta name="dct.abstract" content="One of the most often talked about problems in web security is &#8220;cookies&#8221;. Web cookies are a method of associating requests with &#8220;sessions&#8221; that may have been authenticated somehow. Cookies are a form of bearer token that leave much to be desired. This document proposes a session &#8220;continuation&#8221; protocol for HyperText Transport Protocol (HTTP)."><meta name="description" content="One of the most often talked about problems in web security is &#8220;cookies&#8221;. Web cookies are a method of associating requests with &#8220;sessions&#8221; that may have been authenticated somehow. Cookies are a form of bearer token that leave much to be desired. This document proposes a session &#8220;continuation&#8221; protocol for HyperText Transport Protocol (HTTP)."></head><body><table class="header"><tbody><tr><td class="left">Network Working Group</td><td class="right">N. Williams</td></tr><tr><td class="left">Internet-Draft</td><td class="right">Cryptonector</td></tr><tr><td class="left">Intended status: Standards Track</td><td class="right">January 1, 2013</td></tr><tr><td class="left">Expires: July 5, 2013</td><td class="right"></td></tr></tbody></table><p class="title">Hypertext Transport Protocol (HTTP) Session Continuation Protocol<br><span class="filename">draft-williams-websec-session-continue-proto-00</span></p><h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1><p>One of the most often talked about problems in web security is &#8220;cookies&#8221;. Web cookies are a method of associating requests with &#8220;sessions&#8221; that may have been authenticated somehow. Cookies are a form of bearer token that leave much to be desired. This document proposes a session &#8220;continuation&#8221; protocol for HyperText Transport Protocol (HTTP).</p><h1><a id="rfc.status" href="#rfc.status">Status of this Memo</a></h1><p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p><p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at <a href="http://datatracker.ietf.org/drafts/current/">http://datatracker.ietf.org/drafts/current/</a>.</p><p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as &#8220;work in progress&#8221;.</p><p>This Internet-Draft will expire on July 5, 2013.</p><h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1><p>Copyright © 2013 IETF Trust and the persons identified as the document authors. All rights reserved.</p><p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p><hr class="noprint"><h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1><ul class="toc"><li>1.&nbsp;&nbsp;&nbsp;<a href="#sec_Introduction">Introduction</a><ul><li>1.1&nbsp;&nbsp;&nbsp;<a href="#d1e316">Conventions used in this document</a></li></ul></li><li>2.&nbsp;&nbsp;&nbsp;<a href="#d1e331">Session Keying</a><ul><li>2.1&nbsp;&nbsp;&nbsp;<a href="#d1e368">Mixing HTTP and HTTPS</a></li><li>2.2&nbsp;&nbsp;&nbsp;<a href="#d1e378">Authenticated Session Keying</a><ul><li>2.2.1&nbsp;&nbsp;&nbsp;<a href="#d1e387">HTTP/Negotiate Session Keying</a></li><li>2.2.2&nbsp;&nbsp;&nbsp;<a href="#d1e396">Digest</a></li></ul></li><li>2.3&nbsp;&nbsp;&nbsp;<a href="#d1e405">Unauthenticated Session Keying</a></li></ul></li><li>3.&nbsp;&nbsp;&nbsp;<a href="#d1e417">Session Initiation</a></li><li>4.&nbsp;&nbsp;&nbsp;<a href="#sec_Session_Scope__Sharing">Session Scope: Sharing Sessions Across Servers</a></li><li>5.&nbsp;&nbsp;&nbsp;<a href="#sec_Unauthenticated_to_Authenticated">Unauthenticated to Authenticated Session Upgrade</a></li><li>6.&nbsp;&nbsp;&nbsp;<a href="#d1e660">Session Continuation</a><ul><li>6.1&nbsp;&nbsp;&nbsp;<a href="#d1e706">Session Validation and Error Handling</a></li><li>6.2&nbsp;&nbsp;&nbsp;<a href="#sub_Session_Expiration_and">Session Expiration and Renewal</a></li><li>6.3&nbsp;&nbsp;&nbsp;<a href="#d1e736">Alternative: Define Session Scheme for WWW-Authenticate</a></li></ul></li><li>7.&nbsp;&nbsp;&nbsp;<a href="#d1e745">Logout</a></li><li>8.&nbsp;&nbsp;&nbsp;<a href="#d1e754">Inquiring Session Status</a></li><li>9.&nbsp;&nbsp;&nbsp;<a href="#sec_Analysis">Analysis</a></li><li>10.&nbsp;&nbsp;&nbsp;<a href="#sec_IANA_Considerations">IANA Considerations</a></li><li>11.&nbsp;&nbsp;&nbsp;<a href="#sec_Security_Considerations">Security Considerations</a></li><li>12.&nbsp;&nbsp;&nbsp;<a href="#rfc.references">References</a><ul><li>12.1&nbsp;&nbsp;&nbsp;<a href="#rfc.references.1">Normative References</a></li><li>12.2&nbsp;&nbsp;&nbsp;<a href="#rfc.references.2">Informative References</a></li></ul></li><li><a href="#rfc.authors">Author's Address</a></li></ul><ul class="toc"><li>Figures
        <ul><li><a href="#rfc.figure.1">Figure 1: Session-Init request header</a></li><li><a href="#rfc.figure.2">Figure 2: Session-Assign response header</a></li><li><a href="#rfc.figure.3">Figure 3: Session header</a></li></ul></li></ul><hr class="noprint"><h1 id="rfc.section.1" class="np"><a href="#rfc.section.1">1.</a>&nbsp;<a id="sec_Introduction" href="#sec_Introduction">Introduction</a></h1><p id="rfc.section.1.p.1">The motivation for this protocol is described in <a href="#I-D.williams-websec-session-continue-prob"><cite title="Hypertext Transport Protocol (HTTP) Session Continuation: Problem Statement">[I-D.williams-websec-session-continue-prob]</cite></a>.</p><p id="rfc.section.1.p.2">We define a protocol for cryptographic &#8220;session continuation&#8221; for HyperText Transport Protocol (HTTP) <a href="#RFC2616"><cite title="Hypertext Transfer Protocol -- HTTP/1.1">[RFC2616]</cite></a>. Session continuation is the act of binding an HTTP request to a &#8220;session&#8221;. A &#8220;session&#8221; consists of all the HTTP requests by a given user (possibly an authenticated user, or possibly an anonymous user). This protocol is a cryptographic protocol that aims to meet all the requirements given in <a href="#I-D.williams-websec-session-continue-prob"><cite title="Hypertext Transport Protocol (HTTP) Session Continuation: Problem Statement">[I-D.williams-websec-session-continue-prob]</cite></a>.</p><p id="rfc.section.1.p.3">The protocol consists of:</p><p id="rfc.section.1.p.4"> </p><ul><li>a request header carrying a keyed Message Authentication Code (MAC) that proves possession of a shared session key (shared between the user and the server);</li><li>a response header advertising a default session scope to clients;</li><li>a session identification in the form of a URI;</li><li>an optional facility for server-side statelessness by storing state on the client-side, encrypted in a secret key known to the server;</li><li>a request header for requesting the establishment of a session;</li><li>a response header for indicating the establishment of a session, and including a session URI and any optional state to be repeated by the client.</li></ul><h2 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1</a>&nbsp;<a id="d1e316" href="#d1e316">Conventions used in this document</a></h2><p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <a href="#RFC2119"><cite title="Key words for use in RFCs to Indicate Requirement Levels">[RFC2119]</cite></a>.</p><hr class="noprint"><h1 id="rfc.section.2" class="np"><a href="#rfc.section.2">2.</a>&nbsp;<a id="d1e331" href="#d1e331">Session Keying</a></h1><p id="rfc.section.2.p.1">There are two methods for keying an HTTP session:</p><p id="rfc.section.2.p.2"> </p><ul><li>session keys are output by HTTP authentication;</li><li>or session keys are asserted by the client or the server;</li></ul><p id="rfc.section.2.p.3">For the key assertion method TLS with confidentiality protection is clearly REQUIRED for security. We've considered the possibility of using Diffie-Hellman key agreement or RSA key transport, but as that would duplicate functionality that is in TLS we consider that out of scope for the time being.</p><p id="rfc.section.2.p.4">In either case a single session key is produced, and that is the only key utilized. Having a single key helps reduce session state size and protocol complexity, but we must (and do) distinguish key usage by prefixing a purpose indicator to the MAC input.</p><p id="rfc.section.2.p.5">When keys are output by HTTP authentication there may be a key length mismatch. In this case a Key Derivation Function (KDF) <a href="#RFC5869"><cite title="HMAC-based Extract-and-Expand Key Derivation Function (HKDF)">[RFC5869]</cite></a> is applied to generate the session key.</p><p id="rfc.section.2.p.6"> <span class="comment" id="rfc.comment.1">[<a href="#rfc.comment.1" class="smpl">rfc.comment.1</a>: We could also use the TLS extractor to generate keys, but that would be an unnecessary complication and would provide very little additional value. Channel binding is achieved per-RFCs 5056 and 5929.]</span> </p><p id="rfc.section.2.p.7"> <span class="comment" id="rfc.comment.2">[<a href="#rfc.comment.2" class="smpl">rfc.comment.2</a>: Should we have distinct session keys for request and response MACs? Probably, but it increases state size. Better to add a direction indicator to the MAC plaintext.]</span> </p><h2 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1</a>&nbsp;<a id="d1e368" href="#d1e368">Mixing HTTP and HTTPS</a></h2><p id="rfc.section.2.1.p.1">We expect that many sites will continue to mix HTTP and HTTPS for various reasons. To make this possible the MAC input will include a marker indicating HTTP or HTTPS.</p><h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;<a id="d1e378" href="#d1e378">Authenticated Session Keying</a></h2><p id="rfc.section.2.2.p.1">When an HTTP client uses HTTP authentication, and the authentication mechanism used can establish a session key, then the client SHOULD request session initiation using a shared session key output by the HTTP authentication mechanism. The client MUST send the session initiation header concurrently with the last HTTP authentication message.</p><h3 id="rfc.section.2.2.1"><a href="#rfc.section.2.2.1">2.2.1</a>&nbsp;<a id="d1e387" href="#d1e387">HTTP/Negotiate Session Keying</a></h3><p id="rfc.section.2.2.1.p.1"> <span class="comment" id="rfc.comment.3">[<a href="#rfc.comment.3" class="smpl">rfc.comment.3</a>: Write text explaining how to use the GSS PRF to exchange keys when using HTTP/Negotiate]</span> </p><h3 id="rfc.section.2.2.2"><a href="#rfc.section.2.2.2">2.2.2</a>&nbsp;<a id="d1e396" href="#d1e396">Digest</a></h3><p id="rfc.section.2.2.2.p.1"> <span class="comment" id="rfc.comment.4">[<a href="#rfc.comment.4" class="smpl">rfc.comment.4</a>: Digest could output a session key. Do we want to bother? (Basic certainly can't, or we'd not want it to anyways.)]</span> </p><h2 id="rfc.section.2.3"><a href="#rfc.section.2.3">2.3</a>&nbsp;<a id="d1e405" href="#d1e405">Unauthenticated Session Keying</a></h2><p id="rfc.section.2.3.p.1">Sessions for unauthenticated users may appear to make little sense at first. This is useful, for example, and just as web cookies are, for tracking &#8220;shopping carts&#8221; when a user is window shopping, so to speak.</p><p id="rfc.section.2.3.p.2">For unauthenticated session initiation the client merely requests the creation of a session with an asserted session key, for lack of a better choice.</p><hr class="noprint"><h1 id="rfc.section.3" class="np"><a href="#rfc.section.3">3.</a>&nbsp;<a id="d1e417" href="#d1e417">Session Initiation</a></h1><p id="rfc.section.3.p.1">Sessions are always initiated by the client by including a Session-Init header in the client's request carrying the client's proposal for a session.</p><p id="rfc.section.3.p.2">Servers that support sessions will respond by creating a session and returning a session ID URI.</p><p id="rfc.section.3.p.3">The Session-Init proposal header's value consists of a comma-separated list of proposal parameters:</p><p id="rfc.section.3.p.5"> </p><div id="magicparlabel-124"></div><div id="rfc.figure.1"></div><pre>   session-param = token "=" ( token | quoted-string )
   Session-Init = 1#session-param</pre><p class="figure">Figure 1: Session-Init request header</p><p id="rfc.section.3.p.6">The following session parameters are defined:</p><p id="rfc.section.3.p.7"> </p><dl><dt>Key-Method</dt><dd>The type of keying: &#8220;auth&#8221; (key will be output by HTTP authentication), &#8220;c-assert&#8221; (key is asserted in this Session-Init) or &#8220;s-assert&#8221; (the server is expected to assert a key). In the &#8220;auth&#8221; case the Session-Init MUST also carry a nonce and a MAC. This session-param MUST be present.</dd><dt>Key</dt><dd>The key that the client asserts, if the client asserts a key (Key-Method=c-assert). This may also be included when Key-Method is &#8220;auth&#8221; in case the server's implementation of HTTP authentication does not output a key, but only when using HTTPS.</dd><dt>Key-Length</dt><dd>The length of the master session key, as a count of key bits, in base-10. The value MUST NOT be less than 96 or larger than 256. If absent the key length SHALL be 128 bits.</dd><dt>MAC-Algs</dt><dd>The MAC algorithms supported by the client. This document defines only &#8220;HMAC-SHA-1&#8221; (HMAC with SHA-1), &#8220;HMAC-SHA-1-96&#8221; (HMAC with SHA-1 and truncation to 96 bits), &#8220;HMAC-SHA256&#8221; (HMAC with SHA256), and &#8220;HMAC-SHA256-128&#8221; (HMAC with SHA256 and truncation to 128 bits). All of these use HMAC <a href="#RFC2104"><cite title="HMAC: Keyed-Hashing for Message Authentication">[RFC2104]</cite></a>. Clients and servers MUST support HMAC-SHA-1-96 and HMAC-SHA256-128. If absent the default value is &#8220;HMAC-SHA256-128&#8221;.</dd><dt>KDF-Algs</dt><dd>A list of KDF algorithms. This is needed only when Key-Method is &#8220;auth&#8221;. The following are specified here: &#8220;HKDF-SHA-1&#8221; (HKDF <a href="#RFC5869"><cite title="HMAC-based Extract-and-Expand Key Derivation Function (HKDF)">[RFC5869]</cite></a> with SHA-1) and &#8220;HKDF-SHA256&#8221; (HKDF with SHA256). Clients and servers MUST support HKDF-SHA256. If absent and Key-Method is &#8220;auth&#8221; then the default value is HKDF-SHA256.</dd><dt>Channel-Binding-Types</dt><dd>A comma-separated list of channel binding <a href="#RFC5056"><cite title="On the Use of Channel Bindings to Secure Channels">[RFC5056]</cite></a> types. Clients and servers MUST support 'tls-server-end-point' <a href="#RFC5929"><cite title="Channel Bindings for TLS">[RFC5929]</cite></a> when using HTTPS. (Note the need to use quoted-string when the list has more than one item.) If absent the default is 'tls-server-end-point'.</dd><dt>Nonce</dt><dd>A 128-bit nonce, base64-encoded. This session-param MUST be present.</dd><dt>Previous-Session-URI</dt><dd>The URI of a previous session. See <a href="#sec_Unauthenticated_to_Authenticated" title="Unauthenticated to Authenticated Session Upgrade">Section&nbsp;5</a>.</dd><dt>Previous-Session-State</dt><dd>The session state for the previous session, if any. See <a href="#sec_Unauthenticated_to_Authenticated" title="Unauthenticated to Authenticated Session Upgrade">Section&nbsp;5</a>.</dd><dt>Unprotected-Allowed</dt><dd>If present the value MUST be &#8220;true&#8221;, and indicates that HTTP and HTTPS are both allowed for this session. Otherwise only HTTPS is allowed for this session.</dd></dl><p id="rfc.section.3.p.8">The server responds with a Session-Assign header:</p><p id="rfc.section.3.p.10"> </p><div id="magicparlabel-170"></div><div id="rfc.figure.2"></div><pre>   session-params = 1#session-param
   Session-Init-Value = &lt;the value of the Session-Init header&gt;
   MAC-input = Session-Init-Value "," session-params
   MAC = &lt;base64-encoding of MAC taken over the MAC-input&gt;
   Session-Assign = session-params ["," MAC]</pre><p class="figure">Figure 2: Session-Assign response header</p><p id="rfc.section.3.p.11">The MAC is OPTIONAL when using HTTPS, REQUIRED otherwise.</p><p id="rfc.section.3.p.12">The session-params for Session-Assign are:</p><p id="rfc.section.3.p.13"> </p><dl><dt>Key-Method</dt><dd>If the client requested &#8220;auth&#8221; as the key method but the server's implementation of HTTP authentication could not output a key then this session-param MUST be present with a value of &#8220;c-assert&#8221; (if the client included a Key in its Session-Init) or &#8220;s-assert&#8221; (otherwise).</dd><dt>Key</dt><dd>The server-asserted key, if the client requested a server-asserted key.</dd><dt>MAC-Alg</dt><dd>The name of the MAC algorithm selected by the server from the client's proposal (REQUIRED).</dd><dt>KDF-Alg</dt><dd>The selected KDF algorithm (when the client's selected Key-Method is &#8220;auth&#8221;).</dd><dt>URI</dt><dd>The URI of the session (REQUIRED).</dd><dt>State</dt><dd>Server-side state to be stored on the client (OPTIONAL). Note that servers MAY choose to store server-side state in cookies instead.</dd><dt>Previous-Session</dt><dd>Indicates whether the previous session was recognized and accepted (&#8220;accepted&#8221;), rejected (&#8220;rejected&#8221;), or unknown (&#8220;unknown&#8221;). This session-param MUST be present when the client's Session-Init had a Previous-Session-URI session-param.</dd><dt>Host-Scope</dt><dd>A DNS domainname (in A-label form) that the session can be used with. Multiple Scope parameters are allowed. If the domainname starts with a '.' then the session may be used with all server hosts whose domainnames are sub-domains of the given Host-Scope domainname. The server's fully-qualified hostname is always part of the session's host scope.</dd></dl><hr class="noprint"><h1 id="rfc.section.4" class="np"><a href="#rfc.section.4">4.</a>&nbsp;<a id="sec_Session_Scope__Sharing" href="#sec_Session_Scope__Sharing">Session Scope: Sharing Sessions Across Servers</a></h1><p id="rfc.section.4.p.1">A service might be composed of multiple related servers, each with a different hostname. As a result the service may require a client to use the same session across the service's component servers. We provide a mechanism by which the server may indicate a set of such servers to the client: the Host-Scope session-param in the server's Session-Assign response header.</p><p id="rfc.section.4.p.2">[XXX We need a way to constrain this for privacy protection reasons. It's not yet clear how the client can judge which Host-Scope paramters to accept or ignore, only that must be allowed to do so.]</p><p id="rfc.section.4.p.3">To facilitate interoperable session sharing across heterogeneous server implementations we define a session resource -named by its session URI- that can be obtained with a properly-authenticated GET by authorized entities. The session resource's representation is a application/json document type, containing a JSON-serialized associative array with the following REQUIRED keys:</p><p id="rfc.section.4.p.4"> </p><dl><dt>Master-Key</dt><dd>The session's master key, base64-encoded.</dd><dt>MAC-Alg</dt><dd>The MAC algorithm for this session.</dd></dl><p id="rfc.section.4.p.5"> <span class="comment" id="rfc.comment.5">[<a href="#rfc.comment.5" class="smpl">rfc.comment.5</a>: We probably want each server to see a different master key, in which case we probably want to use a KDF with the server's hostname as part of the salt.]</span> </p><p id="rfc.section.4.p.6"> <span class="comment" id="rfc.comment.6">[<a href="#rfc.comment.6" class="smpl">rfc.comment.6</a>: We probably want to define some OPTIONAL keys for this object, such as &#8220;User&#8221;, &#8220;User-URI&#8221;, &#8220;HTTP-Auth-Scheme-Used&#8221;, &#8220;HTTP-Auth-Scheme-&lt;param&gt;&#8221;, and so on, as well as an application-specific namespace of keys (e.g., &#8220;App-&lt;appname&gt;&#8221; or &#8220;&lt;URN&gt;&#8221;).]</span> </p><hr class="noprint"><h1 id="rfc.section.5" class="np"><a href="#rfc.section.5">5.</a>&nbsp;<a id="sec_Unauthenticated_to_Authenticated" href="#sec_Unauthenticated_to_Authenticated">Unauthenticated to Authenticated Session Upgrade</a></h1><p id="rfc.section.5.p.1">A client might first establish an unauthenticated session then authenticate the user later. When authentication is done the client might wish to preserve any state associated with the preceding unauthenticated session. The client does this by sending a Session-Init at authentication time with a 'Previous-Session-URI' session-param and, if there was server-assigned session state, a 'Previous-Session-State' session-param.</p><hr class="noprint"><h1 id="rfc.section.6" class="np"><a href="#rfc.section.6">6.</a>&nbsp;<a id="d1e660" href="#d1e660">Session Continuation</a></h1><p id="rfc.section.6.p.1">Once a session is established the client binds requests to sessions as described here.</p><p id="rfc.section.6.p.2">There are two cases: HTTPS and HTTP. In both cases the client adds a header</p><p id="rfc.section.6.p.3">For the HTTPS case the client adds a &#8220;Session&#8221; header to its requests with the following content: the session identifier assigned by the server, a nonce generated by the client, and a MAC of the nonce and the TLS channel bindings.</p><p id="rfc.section.6.p.4">The value of the Session header consists of a base64-encoded 128-bit nonce and a MAC, using the session's MAC algorithm, of the nonce and the channel binding, each base64-encoded then concatenated in that order:</p><p id="rfc.section.6.p.6"> </p><div id="magicparlabel-219"></div><div id="rfc.figure.3"></div><pre>   CB = &lt;base64-encoding of the channel bindings&gt;
   nonce = &lt;base64-encoded 128-bit nonce&gt;
   new-state = ...
   direction = "c2s" | "s2c"
   prot-state = "protected" | "unprotected"
   response-status = "" | "Invalid-MAC" |
                     | "Session-expired" "Session-unknown"
   MAC-input = direction "," prot-state "," nonce
               "," CB "," status "," [new-state]
   MAC = &lt;base64encoded MAC taken over MAC-input&gt;
   Session = nonce "," response-status "," [new-state] "," MAC</pre><p class="figure">Figure 3: Session header</p><p id="rfc.section.6.p.7">Where the response must carry a Session header, the form of the value is the same as for requests.</p><p id="rfc.section.6.p.8">The MAC is taken over a direction indicator, an indicator of whether TLS is used, the nonce, the channel bindings, and so on, as shown in Figure 3. Only the server may assert new session state, and only the server indicates a response-status other than &#8220;&#8221; (empty string).</p><h2 id="rfc.section.6.1"><a href="#rfc.section.6.1">6.1</a>&nbsp;<a id="d1e706" href="#d1e706">Session Validation and Error Handling</a></h2><p id="rfc.section.6.1.p.1">The receiver computes the same MAC using the sender's nonce (and new-state, if present, when the receiver is the client) and compares the resulting MAC to the MAC from the Session header.</p><p id="rfc.section.6.1.p.2">If MAC validation of a request fails then the server MUST respond with a 403 status code with a non-empty response-status int he Session-header. Error responses MUST include a Session header. If 403 response's Session header indicates &#8220;Invalid-MAC&#8221; then if the client had used HTTPS then the client SHOULD warn the user, otherwise the client SHOULD retry. If the 403 response's Session header indicates &#8220;Session-expired&#8221; then the client SHOULD renew the session (see <a href="#sub_Session_Expiration_and" title="Session Expiration and Renewal">Section&nbsp;6.2</a>). Otherwise the client must assume that the old session has been destroyed (e.g., because of a logout or server state data loss) and may establish a new session.</p><p id="rfc.section.6.1.p.3">If MAC validation of a response fails the the client MUST act as though a 400 (bad request) had been sent instead. If the request was idempotent the client SHOULD retry, otherwise recovery is not specified.</p><h2 id="rfc.section.6.2"><a href="#rfc.section.6.2">6.2</a>&nbsp;<a id="sub_Session_Expiration_and" href="#sub_Session_Expiration_and">Session Expiration and Renewal</a></h2><p id="rfc.section.6.2.p.1">If the server decides that a session is no longer valid then the server should respond with a 401 status code. The client should then re-authenticate or establish a new unauthenticated session, using the Previous-Session-URI and Previous-Session-State session-params of the new Session-Init to indicate that the old session is being &#8220;renewed&#8221;.</p><h2 id="rfc.section.6.3"><a href="#rfc.section.6.3">6.3</a>&nbsp;<a id="d1e736" href="#d1e736">Alternative: Define Session Scheme for WWW-Authenticate</a></h2><p id="rfc.section.6.3.p.1">One possibility that has some appeal would be to define a new HTTP authentication scheme called &#8220;Session&#8221; (say) and use that instead of the &#8220;Session&#8221; header defined above. The primary advantage to the WWW-Authenticate approach is that it fits the existing HTTP authentication framework, allowing a server to present to an application the user authentication information embedded in the session state as if the user were re-authenticated in each request. Session continuation can then be seen as a form of fast re-authentication.</p><hr class="noprint"><h1 id="rfc.section.7" class="np"><a href="#rfc.section.7">7.</a>&nbsp;<a id="d1e745" href="#d1e745">Logout</a></h1><p id="rfc.section.7.p.1">To logout the client SHOULD perform a DELETE of the session URI.</p><hr class="noprint"><h1 id="rfc.section.8" class="np"><a href="#rfc.section.8">8.</a>&nbsp;<a id="d1e754" href="#d1e754">Inquiring Session Status</a></h1><p id="rfc.section.8.p.1">The client MAY do a GET of the session URI. The semantics of the response body for this are not specified here. As explained in <a href="#sec_Session_Scope__Sharing" title="Session Scope: Sharing Sessions Across Servers">Section&nbsp;4</a>, servers also may GET a session URI; see <a href="#sec_Session_Scope__Sharing" title="Session Scope: Sharing Sessions Across Servers">Section&nbsp;4</a> for more details.</p><hr class="noprint"><h1 id="rfc.section.9" class="np"><a href="#rfc.section.9">9.</a>&nbsp;<a id="sec_Analysis" href="#sec_Analysis">Analysis</a></h1><p id="rfc.section.9.p.1">Quite clearly this protocol meets requirements 1, 2, 3, 5, and 11 from <a href="#I-D.williams-websec-session-continue-prob"><cite title="Hypertext Transport Protocol (HTTP) Session Continuation: Problem Statement">[I-D.williams-websec-session-continue-prob]</cite></a>.</p><p id="rfc.section.9.p.2">The security requirements are also met:</p><p id="rfc.section.9.p.3"> </p><dl><dt>requirement&nbsp;4</dt><dd>The active cookie recovery attacks on TLS we consider are adaptive chosen plaintext attacks. These attacks depend on the cookies sent by the client being the same in every request. This protocol uses MAC of at least channel bindings data (which doesn't change for any one connection) salted (so to speak) with a nonce. This use of nonces causes the MAC sent to be different for each request, which defeats the known cookie recovery attacks on TLS. Note that we assume confidentiality protection from TLS; clients MUST NOT negotiate cipher suites that provide no confidentiality protection.</dd><dt>requirement&nbsp;6</dt><dd>This is clearly met by the use of a MAC keyed with a session key not available to attackers. This clearly depends on implementations having decent entropy sources, but this is no different than for TLS. Note, however, that insecure session initiation with key assertion is clearly insecure relative to passive attackers, as well as active attackers that can redirect packet flows so they can observe session initiation.</dd><dt>requirement_7</dt><dd>This is clearly met by prefixing an indicator of whether TLS is used or not to the MAC input.</dd><dt>requirement_8</dt><dd>The use of channel bindings as an input to the MAC meets this requirement.</dd><dt>requirement_9</dt><dd>This requirement is clearly met by having DELETE of a session URI terminate a session. It is important that clients promptly destroy any remnant of deleted sessions' state so that servers get no benefit from not deleting sessions when the clients demand it.</dd><dt>requirement_10</dt><dd>This is clearly met by using headers that proxies should pass unmodified.</dd></dl><hr class="noprint"><h1 id="rfc.section.10" class="np"><a href="#rfc.section.10">10.</a>&nbsp;<a id="sec_IANA_Considerations" href="#sec_IANA_Considerations">IANA Considerations</a></h1><p id="rfc.section.10.p.1">This document creates a number of new HTTP request and response headers. These headers will need to be added to the HTTP header registry: &lt;TBD&gt;.</p><hr class="noprint"><h1 id="rfc.section.11" class="np"><a href="#rfc.section.11">11.</a>&nbsp;<a id="sec_Security_Considerations" href="#sec_Security_Considerations">Security Considerations</a></h1><p id="rfc.section.11.p.1">This session continuation protocol appears to meet the requirements outlined in <a href="#I-D.williams-websec-session-continue-prob"><cite title="Hypertext Transport Protocol (HTTP) Session Continuation: Problem Statement">[I-D.williams-websec-session-continue-prob]</cite></a>. [XXX Add analysis. In particular explain how MAC(CB + nonce) is sufficient to defeat BEAST and CRIME.]</p><p id="rfc.section.11.p.2">This proposal meets security requirements from the problem statement <a href="#I-D.williams-websec-session-continue-prob"><cite title="Hypertext Transport Protocol (HTTP) Session Continuation: Problem Statement">[I-D.williams-websec-session-continue-prob]</cite></a>. See <a href="#sec_Analysis" title="Analysis">Section&nbsp;9</a> for details.</p><p id="rfc.section.11.p.3">[...]</p><hr class="noprint"><h1 id="rfc.references" class="np"><a id="rfc.section.12" href="#rfc.section.12">12.</a> References</h1><h2 class="np" id="rfc.references.1"><a href="#rfc.section.12.1" id="rfc.section.12.1">12.1</a> Normative References</h2><table><tr><td class="reference"><b id="RFC2119">[RFC2119]</b></td><td class="top"><a href="mailto:sob@harvard.edu" title="Harvard University">Bradner, S.</a>, &#8220;<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>&#8221;, BCP&nbsp;14, RFC&nbsp;2119, March&nbsp;1997.</td></tr><tr><td class="reference"><b id="RFC2104">[RFC2104]</b></td><td class="top"><a href="mailto:hugo@watson.ibm.com" title="IBM, T.J. Watson Research Center">Krawczyk, H.</a>, <a href="mailto:mihir@cs.ucsd.edu" title="University of California at San Diego, Dept of Computer Science and Engineering">Bellare, M.</a>, and <a href="mailto:canetti@watson.ibm.com" title="IBM T.J. Watson Research Center">R. Canetti</a>, &#8220;<a href="http://tools.ietf.org/html/rfc2104">HMAC: Keyed-Hashing for Message Authentication</a>&#8221;, RFC&nbsp;2104, February&nbsp;1997.</td></tr><tr><td class="reference"><b id="RFC2616">[RFC2616]</b></td><td class="top"><a href="mailto:fielding@ics.uci.edu" title="Department of Information and Computer Science">Fielding, R.</a>, <a href="mailto:jg@w3.org" title="World Wide Web Consortium">Gettys, J.</a>, <a href="mailto:mogul@wrl.dec.com" title="Compaq Computer Corporation">Mogul, J.</a>, <a href="mailto:frystyk@w3.org" title="World Wide Web Consortium">Frystyk, H.</a>, <a href="mailto:masinter@parc.xerox.com" title="Xerox Corporation">Masinter, L.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, and <a href="mailto:timbl@w3.org" title="World Wide Web Consortium">T. Berners-Lee</a>, &#8220;<a href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a>&#8221;, RFC&nbsp;2616, June&nbsp;1999.</td></tr><tr><td class="reference"><b id="RFC5246">[RFC5246]</b></td><td class="top">Dierks, T. and E. Rescorla, &#8220;<a href="http://tools.ietf.org/html/rfc5246">The Transport Layer Security (TLS) Protocol Version 1.2</a>&#8221;, RFC&nbsp;5246, August&nbsp;2008.</td></tr><tr><td class="reference"><b id="RFC5056">[RFC5056]</b></td><td class="top">Williams, N., &#8220;<a href="http://tools.ietf.org/html/rfc5056">On the Use of Channel Bindings to Secure Channels</a>&#8221;, RFC&nbsp;5056, November&nbsp;2007.</td></tr><tr><td class="reference"><b id="RFC5929">[RFC5929]</b></td><td class="top">Altman, J., Williams, N., and L. Zhu, &#8220;<a href="http://tools.ietf.org/html/rfc5929">Channel Bindings for TLS</a>&#8221;, RFC&nbsp;5929, July&nbsp;2010.</td></tr><tr><td class="reference"><b id="RFC5869">[RFC5869]</b></td><td class="top">Krawczyk, H. and P. Eronen, &#8220;<a href="http://tools.ietf.org/html/rfc5869">HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</a>&#8221;, RFC&nbsp;5869, May&nbsp;2010.</td></tr><tr><td class="reference"><b id="I-D.williams-websec-session-continue-prob">[I-D.williams-websec-session-continue-prob]</b></td><td class="top">Williams, N., &#8220;<a href="http://tools.ietf.org/html/draft-williams-websec-session-continue-prob-00">Hypertext Transport Protocol (HTTP) Session Continuation: Problem Statement</a>&#8221;, Internet-Draft&nbsp;draft-williams-websec-session-continue-prob-00 (work in progress), January&nbsp;2013.</td></tr></table><h2 id="rfc.references.2"><a href="#rfc.section.12.2" id="rfc.section.12.2">12.2</a> Informative References</h2><table><tr><td class="reference"><b id="RFC2617">[RFC2617]</b></td><td class="top"><a href="mailto:john@math.nwu.edu" title="Northwestern University, Department of Mathematics">Franks, J.</a>, <a href="mailto:pbaker@verisign.com" title="Verisign Inc.">Hallam-Baker, P.</a>, <a href="mailto:jeff@AbiSource.com" title="AbiSource, Inc.">Hostetler, J.</a>, <a href="mailto:lawrence@agranat.com" title="Agranat Systems, Inc.">Lawrence, S.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, Luotonen, A., and <a href="mailto:stewart@OpenMarket.com" title="Open Market, Inc.">L. Stewart</a>, &#8220;<a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>&#8221;, RFC&nbsp;2617, June&nbsp;1999.</td></tr><tr><td class="reference"><b id="RFC5849">[RFC5849]</b></td><td class="top">Hammer-Lahav, E., &#8220;<a href="http://tools.ietf.org/html/rfc5849">The OAuth 1.0 Protocol</a>&#8221;, RFC&nbsp;5849, April&nbsp;2010.</td></tr><tr><td class="reference"><b id="I-D.ietf-oauth-v2">[I-D.ietf-oauth-v2]</b></td><td class="top">Hardt, D., &#8220;<a href="http://tools.ietf.org/html/draft-ietf-oauth-v2-31">The OAuth 2.0 Authorization Framework</a>&#8221;, Internet-Draft&nbsp;draft-ietf-oauth-v2-31 (work in progress), August&nbsp;2012.</td></tr><tr><td class="reference"><b id="I-D.hallambaker-httpintegrity">[I-D.hallambaker-httpintegrity]</b></td><td class="top">Hallam-Baker, P., &#8220;<a href="http://tools.ietf.org/html/draft-hallambaker-httpintegrity-02">HTTP Integrity Header</a>&#8221;, Internet-Draft&nbsp;draft-hallambaker-httpintegrity-02 (work in progress), November&nbsp;2012.</td></tr></table><hr class="noprint"><div class="avoidbreak"><h1 id="rfc.authors" class="np"><a href="#rfc.authors">Author's Address</a></h1><address class="vcard"><span class="vcardline"><span class="fn">Nicolas Williams</span><span class="n hidden"><span class="family-name">Williams</span><span class="given-name">Nicolas</span></span></span><span class="org vcardline">Cryptonector, LLC</span><span class="vcardline">EMail: <a href="mailto:nico@cryptonector.com"><span class="email">nico@cryptonector.com</span></a></span></address></div></body></html>