Shel Kaphan wrote: > > Koen Holtman writes: > > Shel Kaphan: > > >If a cache operator has loosened the rules on returning expired > > >documents (which I am given to understand does sometimes happen), and > > >if the cache has stored a document with associated set-cookie headers, > > >then there could be a real security issue -- people could get other > > >people's cookies. > > > > Yes, this is a potential problem. We have been through this issue of > > caches not complying to the Expires header definition before, and I > > would really like to avoid doing it again. > > > > I agree -- that's not the focus of my comment. I just wanted to point > out that given the reality of that situation, there's an unsolved security > problem with cookies. (Lou, is Netscape still paying a bounty to > people who notice security problems?) Yes we are, but only for problems in our products. Our proxy server doesn't cache set-cookie headers or their coresponding documents, so I believe we don't currently have a problem. :lou -- Lou Montulli http://www.netscape.com/people/montulli/ Netscape Communications Corp.Received on Tuesday, 20 February 1996 22:08:12 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 November 2008 20:51:42 GMT