W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: new cookie draft

From: Koen Holtman <koen@win.tue.nl>
Date: Thu, 20 Mar 1997 18:48:45 +0100 (MET)
Message-Id: <199703201748.SAA17704@wsooti08.win.tue.nl>
To: Dave Kristol <dmk@research.bell-labs.com>
Cc: http-wg@cuckoo.hpl.hp.com
Dave Kristol:
>
>Well, sports fans, there's a new cookie draft.  Regrettably, the name
>is draft-ietf-http-state-man-mec-00.  (I had wanted it to be
>draft-ietf-http-state-mgmt-06.) I have withdrawn
>draft-ietf-http-state-mgmt-errata-00, which the new draft subsumes.
>
>For the record, I know of two planned changes to the draft already:
>
>1) I'll drop the "same port" requirement.  (Cookies can return to any
>port on any host to which they could otherwise legitimately be sent.)

Dropping this requirement opens a significant security hole, because not all
servers on the same host need to be run by the same people.  Others have
called this a `marginal case', but I do not want to ignore it: really tiny
sites need security too.

The `same port' requirement that is in the spec now is a little too
restrictive though.  I'd be happy if the current

Domain Selection
     The origin server's fully-qualified host name must domain-match the
     Domain attribute of the cookie.  The origin server's port number
     must equal the port number of the server that sent the cookie.

gets rewritten to

Domain Selection 
     The origin server's fully-qualified host name must domain-match the
     Domain attribute of the cookie.  If the cookie does not explicitely
     specify a Domain attribute, the origin server's port number must
     equal the port number of the server that sent the cookie.

, but just dropping the port requirement won't do for me.

>Dave Kristol

Koen.
Received on Thursday, 20 March 1997 09:51:05 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:32 EDT