W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Re: draft-ietf-http-state-mgmt-01.txt LAST CALL

From: Dave Kristol <dmk@allegra.att.com>
Date: Fri, 14 Jun 96 10:03:10 EDT
Message-Id: <9606141403.AA22339@aleatory.tempo.att.com>
To: marc@ckm.ucsf.edu
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
"Marc Salomon" <marc@ckm.ucsf.edu> wrote on Thu, 13 Jun 1996 16:07:47 -0700:
  > |4.2.2  Set-Cookie Syntax  The syntax for the Set-Cookie response header is
  > [...]
  > |cookie-av       =       "Domain" "=" value
  > [...]
  > 
  > |If an attribute appears more than once in a cookie, the behavior is undefined.
  > 
  > Is there any reason to include grammar that didn't preclude sharing a cookie
  > across multiple domains, but specify its behavior explicitly as undefined?

Yes.  In several places we made a point to prevent a cookie from being
shared across multiple domains.  For example, a client rejects a cookie
if the request-host (the server just contacted) does not domain-match
the Domain attribute.  (Section 4.3.2.  Also see section 8.2)  The
issue was privacy, and the intent was to avoid leaking cookies away
from the intended domain.

When the state management subgroup discussed domains, we couldn't think
of applications where a single domain was too restrictive.

Dave Kristol
Received on Friday, 14 June 1996 07:16:05 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:03 EDT