NAME
    HTTP::State - Fast RFC6265bis-draft + CHIPS Cookie Jar

SYNOPSIS
      use HTTP::State ":flags";
   
      # Create a jar. Default flags for compatibility API.
      #
      my $jar=HTTP::State->new(default_flags=>FLAG_TYPE_HTTP|FLAG_TOP_LEVEL|...);

      # Requested URL
      #
      my $request_url="http://test.example.com";
  
      # First party site of the request ( for CHIPS )
      #
      my $partition_key= "https://first.party.com";

      # User agent indicates the context of the request using flags
      #
      my $flags=FLAGS_TYPE_HTTP|FLAGS_TOP_LEVEL|...;



      # Retrieve encoded cookies name/values applicable for the request.
      #
      my $cookie_header = $jar->retrieve_cookies($request_url, $partition_key, $flags);
  
      #       ++ OR ++

      # use the  HTTP::CookieJar compatible API, jar's default flags
      #
      my $cookie_header = $jar->cookie_header($request_url);




      # Do a request...
      #
      my $response=user_agent->get(cookie_header=>$cookie_header);




      # Store the  Set-Cookies in the jar for the request url
      #
      $jar->store_cookies($request_url, $partition_key, $flags, $response->header->{Set_Cookie});

      #     ++ OR ++

      # use the HTTP::CookieJar compatible API, using the default flags
      $jar->add($request_url, $response->header->{Set_Cookie});

DESCRIPTION
    Web browsers are constantly improving privacy and limiting the tracking
    ability of cookies. This module implements a cookie jar providing the
    same up to date thinking to Perl user-agents.

    The algorithm implemented is derived from RFC6265bis-draft-12 and
    Cookies Having Independent Partitioned State (CHIPS). These are not
    finalised standards, so it is to be expected this module may change
    behaviour to keep up to date.

    To aid adoption, this module will work as a drop in alternative for
    HTTP::CookieJar. A compatible API has been implemented to allow existing
    user agents to benefit from the performance gains in particular.

    However long term, user agents would need to be modified, or at least
    wrapped in order to take full advantage of this module. Not only are
    there differences in the general API compared to popular cookie jars,
    but conceptually the notion of 'browsing context', and
    'first-party/third-party' need to be implemented.

    Finally, for explicit encoding and decoding of cookie strings (not via a
    cookie jar), please see the companion HTTP::State::Cookie module. This
    is used internally for encoding and decoding cookies.

  Summary of RFC6265bis and CHIPS
    At the time of writing RFC6265bis-draft is a version '12'. As the RFC
    progresses this module will be updated accordingly. The highlight take
    away feature implemented/utilized in this module are:

    Public suffix checking
        Cookies are tested for public suffixes (ie .com, .org, .com.au) and
        rejected if the cookie domain is not below such a level. This
        prevents a trackers and information leakage at a basic level.

    Prefix cookie name processing
        Cookies names prefixed with __Host- and __Secure- are subject to
        addition requirements before being stored.

    Reduced pper limit of expiry dates
        Cookies expire 400 days (or user defined) in the future, instead of
        potentially years.

    Browsing Context
        User agents should be performing additional book keeping and testing
        of what is a 'same site' request, top level navigation, reloading,
        document etc to fully utilise the additional functionality available
        in this module.

        While these tests/conditions are specified in RFC6265bis-draft, it
        is not in the scope of this module and needs to be implemented in a
        user-agent. The results of such tests are represented as bit fields,
        which are used to guide the store/retrieve algorithm accordingly
        within this module:

        samesite/crosssite
        API/HTTP
        safe/unsafe method
        top/nontop level navigation

    Partitioning (CHIPS)
        Cookies Having Independent Partitioned State (CHIPS), effectively
        gives each first party site it's own cookie jar. Third party cookies
        set from resources requested by the first party site are stored in
        this 'partitioned cookie jar'.

        These cannot be used by another first party site requesting
        resources from the same third party site. Hence limiting tracking.

  COMPATIBILITY
    A compatibility interface matching that of HTTP::CookieJar is available
    to aid in adoption.

    In theory, this should allow user-agents like HTTP::Tiny and Furl for
    example to benefit from performance and security improvements with
    limited changes to existing code.

    To work around the lack of same site / browsing context / partitioning
    support in the HTTP::CookieJar API, the compatibility API utilises the
    current values of the 'default flags' for the cookie jar and disables
    partitioning by default

API
  User Agent Context Flags
    Flags are implemented as constants and can be exported using the
    ":flags" tag at import:

      use HTTP::State ":flags";

    They are a space efficient method of describing the intent and context
    of a request initiated by a user-agent. Multiple flags are ORed together
    into a bit field. This bit field is required for storing and retrieval
    of cookies throughout this API.

    As mentioned previously, the user-agent or other external code is
    responsible for performing tests on the context. The flags are for
    conveying the results to the cookie jar.

   FLAG_SAME_SITE
    When this flag is set, a request is considered "same-site". When unset,
    request is considered "cross-site".

    A same site request is one which loads resources for a document from the
    same host and scheme as the current 'document' for example.

   FLAG_TYPE_HTTP
    When this flag is set, request is considered "HTTP". When unset, request
    is considered "non-HTTP".

    In a browser this represents if a request for a resource was initiated
    by from a html document (HTTP) or from javascript (non-HTTP).

   FLAG_SAFE_METH
    When this flag is set, request is considered "safe". When unset, request
    is considered "unsafe".

    POST and PUT methods in HTTP are considered unsafe.

   FLAG_TOP_LEVEL
    When this flag is set, request is considered "top level". When unset,
    request is considered "not-top-level".

    Top level requests include manually typing in a URL and navigating to it
    and

  Creating a cookie jar
   new
      my $jar=HTTP::State->new(...);

    Creates a new cookie jar object. Optional named arguments can be
    provided:

    default_flags
          my $jar=HTTP::State->new(default_flags=>flags);

        Sets the default flags used for storing and retrieving cookies, when
        no defined value is provided via "retrieve_cookies" and
        "store_cookies"

        It is also the value used in the compatibility API.

        Default is all flags on

        (FLAG_TYPE_HTTP|FLAG_TOP_LEVEL|FLAG_SAME_SITE|FLAG_SAFE_METH).

    enable_partition
          my $jar=HTTP::State->new(enable_partition=>...);

        Enables partition support for partition cookies. When enabled,
        cookies are stored in relevant partitions.

        The default value is false (off)

    retrieve_sort
          my $jar=HTTP::State->new(retrieve_sort=>1||0);

        A boolean enabling sorting of retrieved cookies by path length and
        creation time.

        Default is false (no sorting).

    max_expiry
          my $jar=HTTP::State->new(max_expiry=>seconds);

        The upper limit in duration a cookie can be valid for. Value is in
        seconds.

        Default is 400 days (400 * 24 * 3600)

    lax_allowing_unsafe
          my $jar=HTTP::State->new(lax_allowing_unsafe=>1||0)

        A boolean enabling retrieval of cookies for unsafe methods and
        default same site, as long as cookie is no older than
        "lax_allow_unsafe_timeout"

        The default value is false.

    lax_allowing_unsafe_timeout
          my $jar=HTTP::State->new(lax_allowing_unsafe_timeout=>seconds)

        The timeout value (age) to use when testing the
        "lax_allow_unsafe_timeout".

        The default value is 120 seconds

    public_suffix_sub
          my $jar=HTTP::State->new(public_suffix_sub=>sub {...});

        A code reference which performs public suffix lookup on a URI. The
        code ref must take a domain name as an argument and return a suffix
        or empty string string if no suffix exists.

        If this option is not provided, a reference to the "public_suffix"
        routine from Mozilla::PublicSuffix is used.

  Storing and Retrieving
    For new code, these methods are preferred over the compatibility API, to
    make better use of 'browsing context'.

   store_cookies
      $jar->store_cookies($request_uri, $partition, $flags, $string_or_struct, ...);

    Takes a $request_url , browsing context $flags and one or more
    Set-Cookie header string values or cookie structures. Stores them in the
    cookie jar as per the 'storage model' of RFC6265bis-draft.

    The exact processing of the cookies is subject to the $flags bit field,
    which is a combination of the 'context flags'. If set to "undef" the
    current default bit flags for the cookie jar will be used.

    The $partition argument, is the partition hey scheme://host) of the
    first party site. Cookies are stored to this partition if the jar was
    instantiated with the "enable_partition" option.

    This method in intended to be called from a user-agent on receipt of a
    HTTP response.

   retrieve_cookies
      $jar->retrieve_cookies($request_url, $partition, $flags);

    Retrieves cookies from a jar, for the specified $request_url according
    to RFC6265bis-draft 'cookie retrieval'. The cookies are encodes them
    into a string suitable for use in a Cookie header in a HTTP request.

    The exact processing of the cookies is subject to the $flags bit field,
    which is a combination of the 'context flags'. If set to "undef" the
    current default bit flags for the cookie jar will be used.

    The $partition argument, is the name (scheme://host) of the first party
    site, which is used as a partition key. Cookies are only retrieved from
    this partition if the jar was instantiated with the "enable_partition"
    option.

    This method in intended to be called from a user-agent in generation of
    a HTTP request.

  Auxillary
   get_cookies
      $jar->get_cookies($request_url);
      $jar->get_cookies($request_url, $partition, $flags);

    Takes the same arguments as "retrieve_cookies" and matches the same
    cookies. Returns a copied list of the matched cookie structures instead
    of a encoded string.

   get_kv_cookies
      $jar->get_kv_cookies($request_url);
      $jar->get_kv_cookies($request_url, $same_site_status, $type, $safe);

    Takes the same arguments as "retrieve_cookies" and matches the same
    cookies. Returns a list of key value pairs, of names and values.

  HTTP::CookieJar Compatibility Interface
    These methods of the same name an intent as those found in
    HTTP::CookieJar. There are most certainly minor differences, but should
    allow a HTTP::State cookie jar to be a drop in replacement in most
    circumstances a HTTP::CookieJar is used.

   add
        $jar->add($url, $set_cookie_string);

    Adds a cookie (as a Set_Cookie value string $set_cookie_string) to the
    cookie jar for the request URL $url.

    Note on SAME SITE: It is a compatibility wrapper around "store_cookies"
    utilising the default flags for the jar as no flags for same site
    support can be supplied directly.

    Please refer to the HTTP::CookieJar for further information.

   clear
      $jar->clear;

    Removes all cookies from the jar

   cookies_for
      $jar->cookies_for($url);
      $jar->cookies_for($url);

    Returns a list of hash refs representing a set cookie for a target $url.
    The elements of each hash are named as per HTTP::CookieJar. Additional
    elements could also exist (ie samesite)

    Please refer to the HTTP::CookieJar for further information.

   cookie_header
      $jar->cookie_header($url)

    Retrieves any applicable cookies for the target $url, and encodes into a
    Cookie header string value.

    Note on SAME SITE: It is a compatibility wrapper around
    "retrieve_cookies" utilising the default flags for the jar, as no flags
    for same site support can be supplied directly.

    Please refer to the HTTP::CookieJar for further information.

   dump_cookies
      $jar->dump_cookies;
      $jar->dump_cookies({persistent => 1});

    Returns a list of strings encoded as Set Cookie values, but with
    additional internal information. The "{persistent => 1}" parameter
    forces only persistent cookies to be processed, ignoring session
    cookies.

    Adjusts the creation and last access times to be relative to epoch in
    the local time, instead of GMT for interoperability with
    HTTP::CookieJar.

    Partitioned cookies are also included in the dump, with the partition
    key stored, for later loading.

   load_cookies
      $jar->load_cookies(@cookies)

    Takes a list of Set-Cookie type strings written out previous with
    "dump_cookies" and injects them into the cookie jar.

    Decodes the creation time and last access time expected in local
    timezone seconds.

    Please refer to the HTTP::CookieJar for further information.

    Partitioned cookies store the partition key in the Partitioned
    attribute. If this is present cookies are loaded into the specified
    partition.

PERFORMANCE
  Cookie Retrieval
    Relative performance of retrieving cookies for a request to a single
    host:

    1 cookie:

                         Rate http_cookiejar  protocol_http     http_state
      http_cookiejar 165217/s             --           -31%           -41%
      protocol_http  238602/s            44%             --           -15%
      http_state     279272/s            69%            17%             --

    5 cookies:

                        Rate http_cookiejar     http_state  protocol_http
      http_cookiejar  5582/s             --           -80%           -81%
      http_state     27568/s           394%             --            -8%
      protocol_http  29824/s           434%             8%             --

    50 cookies:

                        Rate http_cookiejar     http_state  protocol_http
      http_cookiejar 100.0/s             --           -97%           -97%
      http_state      2973/s          2873%             --            -8%
      protocol_http   3228/s          3128%             9%             --

    100 cookies:

                       Rate http_cookiejar     http_state  protocol_http
      http_cookiejar 23.1/s             --           -98%           -98%
      http_state     1370/s          5835%             --            -5%
      protocol_http  1436/s          6121%             5%             --

    1000 cookies:

                        Rate http_cookiejar  protocol_http     http_state
      http_cookiejar 0.233/s             --           -99%          -100%
      protocol_http   43.8/s         18738%             --           -76%
      http_state       179/s         76975%           309%             --

COMPARISON TO OTHER MODULES
    Protocol::HTTP::CookieJar is a very fast cookie jar module, also
    implementing RFC6265bis-draft.

    However, it's API is targeted towards its related HTTP client, doesn't
    support CHIPS/partitioning and requires a large number of XS modules

    HTTP::CookieJar is the cookie jar expected by many user agents. While it
    has public suffix support, it doesn't provide samesite processing or the
    additional conditions of RFC6265bis-draft or CHIPS/paritioning. It is
    also quite slow in comparison to this module.

SEE ALSO
    The main resources used in implementing this module:

    <https://github.com/privacycg/CHIPS#opt-in-partitioned-cookies>
    <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis>
    <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies>

TODO
    Create LWP adaptor
    Mojo User Agnet adaptor
    More tests

REPOSITORTY and BUGS
    Please report any bugs via git hub:
    <http://github.com/drclaw1394/perl-http-state>

AUTHOR
    Ruben Westerberg, <drclaw@mac.com>

COPYRIGHT AND LICENSE
    Copyright (C) 2023 by Ruben Westerberg

    Licensed under MIT

DISCLAIMER OF WARRANTIES
    THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
    WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.