W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: cookie Port summary

From: Koen Holtman <koen@win.tue.nl>
Date: Mon, 24 Mar 1997 23:13:46 +0100 (MET)
Message-Id: <199703242213.XAA04980@wsooti08.win.tue.nl>
To: Dave Kristol <dmk@research.bell-labs.com>
Cc: http-wg@cuckoo.hpl.hp.com
Dave Kristol:
>
>Here's my summary and elaboration of the proposal for restricting ports
>in cookies.
[...]
>Comments?

This works for me.  

With a little more work the default could be made more secure (i.e. only
send to the port it came from) in the pure `new cookie' case.  But we are
probably stuck with the `send to all ports' default when being compatible
with `old cookies' sent in a Set-Cookie without a Set-Cookie2.  Some
existing sites which continue sessions on secure pages will rely on this
less-secure default, I think.

>Dave Kristol

Koen.
Received on Monday, 24 March 1997 14:16:39 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:33 EDT