- From: Lou Montulli <montulli@mozilla.com>
- Date: Tue, 20 Feb 1996 13:22:00 -0800
- To: Shel Kaphan <sjk@amazon.com>
- Cc: Koen Holtman <koen@win.tue.nl>, http-caching@pa.dec.com, state@xent.w3.org
Shel Kaphan wrote:
>
> Koen Holtman writes:
> > Shel Kaphan:
> > >If a cache operator has loosened the rules on returning expired
> > >documents (which I am given to understand does sometimes happen), and
> > >if the cache has stored a document with associated set-cookie headers,
> > >then there could be a real security issue -- people could get other
> > >people's cookies.
> >
> > Yes, this is a potential problem. We have been through this issue of
> > caches not complying to the Expires header definition before, and I
> > would really like to avoid doing it again.
> >
>
> I agree -- that's not the focus of my comment. I just wanted to point
> out that given the reality of that situation, there's an unsolved security
> problem with cookies. (Lou, is Netscape still paying a bounty to
> people who notice security problems?)
Yes we are, but only for problems in our products. Our proxy server
doesn't cache set-cookie headers or their coresponding documents, so
I believe we don't currently have a problem.
:lou
--
Lou Montulli http://www.netscape.com/people/montulli/
Netscape Communications Corp.
Received on Tuesday, 20 February 1996 22:08:12 UTC