W3C home > Mailing lists > Public > http-caching-historical@w3.org > February 1996

Re: backward compatibility of non-cachable headers

From: Lou Montulli <montulli@mozilla.com>
Date: Tue, 20 Feb 1996 13:22:00 -0800
Message-Id: <312A3B78.41C6@mozilla.com>
To: Shel Kaphan <sjk@amazon.com>
Cc: Koen Holtman <koen@win.tue.nl>, http-caching@pa.dec.com, state@xent.w3.org
Shel Kaphan wrote:
> Koen Holtman writes:
>  > Shel Kaphan:
>  > >If a cache operator has loosened the rules on returning expired
>  > >documents (which I am given to understand does sometimes happen), and
>  > >if the cache has stored a document with associated set-cookie headers,
>  > >then there could be a real security issue -- people could get other
>  > >people's cookies.
>  >
>  > Yes, this is a potential problem.  We have been through this issue of
>  > caches not complying to the Expires header definition before, and I
>  > would really like to avoid doing it again.
>  >
> I agree -- that's not the focus of my comment.  I just wanted to point
> out that given the reality of that situation, there's an unsolved security
> problem with cookies.   (Lou, is Netscape still paying a bounty to
> people who notice security problems?)

Yes we are, but only for problems in our products.  Our proxy server
doesn't cache set-cookie headers or their coresponding documents, so
I believe we don't currently have a problem.  

Lou Montulli                 http://www.netscape.com/people/montulli/
       Netscape Communications Corp.
Received on Tuesday, 20 February 1996 22:08:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:55:57 UTC