W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

new cookie I-D submitted

From: Dave Kristol <dmk@bell-labs.com>
Date: Thu, 19 Jun 1997 15:02:24 -0400
Message-Id: <33A98240.59E2B600@bell-labs.com>
To: http-state@lists.research.bell-labs.com
Cc: http-wg@cuckoo.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/3556
I've submitted a new Internet Draft to appear soon (I hope):
draft-ietf-http-state-man-mec-02.  You can take a look at it now via
<http://portal.research.bell-labs.com/~dmk/cookie-ver.html>.  You can
find versions there with change-bars from the previous I-D or from RFC

This I-D addresses a serious flaw in RFC 2109's wording concerning
third-party cookies and unverifiable transactions that was even more
restrictive than we intended:

    When it makes an unverifiable transaction, a user agent must enable
    session only if a cookie with a domain attribute D was sent or
    in its origin transaction, such that the host name in the
Request-URI of
    the unverifiable transaction domain-matches D.

The words "cookie ... in its origin transaction" make it sounds like
we require there to have been a cookie in the origin transaction or else
a session cannot be initiated via an unverifiable transaction (in
addition to the other restrictions).

Koen Holtman and I have batted words around for several weeks now
(seriously slowed by my involvement with LPWA (see <http://lpwa.com>)),
but things have finally stabilized enough for me to attend to this loose

Dave Kristol

P.S.  Although I've Cc-ed http-wg as a courtesy, let's try to keep
discussion on http-state.
Received on Thursday, 19 June 1997 12:05:53 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:20 UTC