W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: cookie Port summary

From: Koen Holtman <koen@win.tue.nl>
Date: Mon, 24 Mar 1997 23:13:46 +0100 (MET)
Message-Id: <199703242213.XAA04980@wsooti08.win.tue.nl>
To: Dave Kristol <dmk@research.bell-labs.com>
Cc: http-wg@cuckoo.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/2856
Dave Kristol:
>Here's my summary and elaboration of the proposal for restricting ports
>in cookies.

This works for me.  

With a little more work the default could be made more secure (i.e. only
send to the port it came from) in the pure `new cookie' case.  But we are
probably stuck with the `send to all ports' default when being compatible
with `old cookies' sent in a Set-Cookie without a Set-Cookie2.  Some
existing sites which continue sessions on secure pages will rely on this
less-secure default, I think.

>Dave Kristol

Received on Monday, 24 March 1997 14:16:39 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:19 UTC