Re: draft-ietf-http-state-mgmt-01.txt LAST CALL from Marc Salomon on 1996-06-14 (ietf-http-wg@w3.org from April to June 1996)

From: Marc Salomon <marc@pele.ckm.ucsf.edu>
Date: Fri, 14 Jun 1996 08:50:04 -0700
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199606141550.IAA25468@pele.ckm.ucsf.edu.UCSF-LIBRARY>

dmk@allegra.att.com:
|In several places we made a point to prevent a cookie from being
|shared across multiple domains.  For example, a client rejects a cookie
|if the request-host (the server just contacted) does not domain-match
|the Domain attribute.  (Section 4.3.2.  Also see section 8.2)  The
|issue was privacy, and the intent was to avoid leaking cookies away
|from the intended domain.

Default policy is for the client not to send a cookie unless there was an 
exact match between the cookie's and the request's domain/path pairs, so 
leaking is an error in any case.  If multiple domains were permitted, a 
client would only send a cookie if there were an exact match between the 
URI at hand the one of the set of domain and path pairs associated with 
the cookie.  Sharing would be possible only when there were multiple domains 
in the Set-Cookie header.  Sharing with permission is OK, but leaking is bad.

As for an application, say that we are providing a single point of access
for a collection of electronic journals from multiple publishers or 
aggregators where we have a site license with each organization.  We could 
issue a cookie (after authenticating locally) valid for our local domain 
and for cooperating domains serving up content under license.  Those sites 
would decode our cookie and use it in access control and logging.

A successful authenticated GET of http://epub.ucsf.edu/journals would return 
a pointer to a page of links to journals and the following cookie:

Set-Cookie: Site-License="UCSF:D3F5W($5N9VQA;F0@4&]T"; Version="1"; \
            Domain="epub.ucsf.edu"; Domain="epub.berkeley.edu" \
            Domain="pub.nejm.org"; Domain="pub.jama.org";  \
            Domain="pub.oclc.org"; Domain="pub.elsevier.com" \
            Domain="ieee.dla.ucop.edu" ... 
                                          
Dereferencing any of those links would cause the appropriate Cookie to be 
generated:

Cookie:     Site-License="UCSF:D3F5W($5N9VQA;F0@4&]T"; Version="1"; \
            Domain="pub.nejm.org";

Cookie:     Site-License="UCSF:D3F5W($5N9VQA;F0@4&]T"; Version="1"; \
            Domain="pub.oclc.org";

I could see applications where one would want multiple domains OR paths, 
but there are problems with associativity in mixing multiple domains AND 
paths in the same cookie.  

-marc

Received on Friday, 14 June 1996 09:03:25 UTC