Re: errata for cookie spec

At 05:19 PM 6/02/97 +0100, Koen Holtman wrote:
[...]
>>BTW, the silent rejection of cookies, esp. by domain name, is a good idea.
>
>I think this idea is covered by the suggestions in the spec.
>
>Some slightly off-topic information: if you edit your netscape preferences
>file to read
>   ACCEPT_COOKIE:  2 
>then NS will apparantly reject cookies without asking (I have not tried
>this, but I read it in the risk digest..  A commercial product which allows
>rejection by domain name (called PGPcookie.cutter) has been announced.
>Also, extending a proxy to provide cookie filtering services is trivial, and
>if someone has not done it already, someone will do it soon.  (I did it
>myself actually, but not in an industrial strength proxy implementation.)

  The commercial Harvest caching product does this from release 3.0 on.
  We do use this feature here, but not for reasons of security or privacy.
We use it because cookies are used by some web sites solely to prevent the
caching of pages at that site. It saves our end users time and money if the
proxy cache refuses to accept cookies from particular sites known to do
this. A more general policy of ignoring cookies on the transfer of graphic
objects is an interesting possibility I have not yet had the courage to
implement.
  It's worth bearing in mind that proxy caches tend to be paid for by
readers of material and not by publishers. It must be expected that their
administrators' actions will reflect that fact.
  Whether that implies that the use of cookies should be tightly restricted
by the standard to encourage proxy caches to accept them, or that what the
standard says may be disregarded anyway by many cache administrators, I'm
not sure.

- Donald Neal

Received on Thursday, 6 February 1997 13:10:27 UTC