Where's my cookie?

[Graycode]

(Dec. 18, 2008 03:54 AM)Oddysey Wrote:  The way I read RFC2965 is that session cookies may be non-cached (as you say, in memory only), but that's not a requirement. Indeed, the spec does recommend that the UserAgent cache all state-tracking mechanisms (IOW, cookies), unless there is a security issue (multiple users of a machine, for instance).

RFC2965 describes the Set-Cookie2: header, different than the more commonly used Set-Cookie: without the '2'.

A browser storing long-term values from Set-Cookie: is dictated by the "expires=" date attribute.

A browser storing long-term values from Set-Cookie2: is dictated by the "Max-Age=" attribute, and it might optionally also contain "expires=". See section 3.3 of that RFC2965. It specifically states that if there is no Max-Age specified in the Set-Cookie2: header then "The default behavior is to discard the cookie when the user agent exits."

I don't know what Proxo does or doesn't do for those headers to avoid long-term tracking via cookies. What my proxy normally does for those headers is:
1) Strip out the "expires=" attribute when its specified date is in the future (setting an old expires date is the method by a server telling a browser to delete a cookie, as commonly happens when logging Out of a site).
2) Strip out the "Max-Age=" attribute when its specified value is not zero (setting zero is the method by a server telling a browser to delete a cookie).

Beyond those headers, there's also javascript methods that can assign & manipulate browser cookies.

(Dec. 18, 2008 03:54 AM)Oddysey Wrote:  And to put the final nail in the coffin, if session cookies were held only in memory, then ProxRocks' faked cookies would never be read at all.

Those faked cookies are being added by Proxo, they are not coming from a browser's storage.