W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1996

Apache and cookies

From: Koen Holtman <koen@win.tue.nl>
Date: Thu, 26 Sep 1996 16:21:33 +0200 (MET DST)
Message-Id: <199609261421.QAA25940@wsooti22.win.tue.nl>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Cc: Koen Holtman <koen@win.tue.nl>

I recently started using the `show an alert before accepting a cookie'
option in NetScape 3.0, and found that many Apache servers on the net
wanted to send me a cookie.  I asked a local Apache (1.0.3) server
operator why his server was trying to tag a cookie on me (which is
considered extremely rude by Dutch standards).  He was not aware that
it did; he did not even know what a cookie was.

Question: Does Apache send cookies in its default configuration?

If so, I'm very concerned about this.  Apart from making server
operators (who should have known better?) look bad, it breaks the
privacy safeguards present in the state management draft
(draft-ietf-http-state-mgmt-03.txt).

The privacy model we used depends on there being a percentage of
`watchdog users' which have cookie notification enabled in their
browser, and which complain if they come across a site which uses
cookies inappropriately.  If NN% of all installed servers start
sending cookies, it will become impossible for the `watchdog users' to
filter the real cookie abuse from the noise of unintended cookie use,
and the whole privacy system breaks down.

Koen.
Received on Thursday, 26 September 1996 07:30:42 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:14 EDT