W3C home > Mailing lists > Public > www-talk@w3.org > May to June 2000

Re: retrieving cookies which has been set by other domain

From: Ari Gordon-Schlosberg <regs@nebcorp.com>
Date: Thu, 4 May 2000 15:44:02 -0500
To: "'www-talk@w3.org'" <www-talk@w3.org>
Message-ID: <20000504154402.A16497@nebcorp.com>
[Xiaolin Jiang <Xiaolin@Icarian.com>]
> Hi,
> 
> Is it possible to get cookies which has been set by other company's web
> server ? By talking to some people, it sounds like it is possible, but it is
> not recommended. Could anybody tell me how to do that with servlet ? And
> also want to know the future direction regarding this issue.

No.  If you can, it's a bug. The user agent is not supposed to allow that
to happen. 

From 4.3.4 of RFC 2099:

4.3.4  Sending Cookies to the Origin Server

   When it sends a request to an origin server, the user agent sends a
   Cookie request header to the origin server if it has cookies that are
   applicable to the request, based on

   * the request-host;

   * the request-URI;

   * the cookie's age
	...

   The following rules apply to choosing applicable cookie-values from
   among all the cookies the user agent has.

   Domain Selection
        The origin server's fully-qualified host name must domain-match
        the Domain attribute of the cookie.

   Path Selection
        The Path attribute of the cookie must match a prefix of the
        request-URI.

   Max-Age Selection
        Cookies that have expired should have been discarded and thus
        are not forwarded to an origin server.

And 8.3 specifically prohibits "cookie sharing":

8.3  Unexpected Cookie Sharing

   A user agent should make every attempt to prevent the sharing of
   session information between hosts that are in different domains.
   Embedded or inlined objects may cause particularly severe privacy
   problems if they can be used to share cookies between disparate
   hosts.  For example, a malicious server could embed cookie
   information for host a.com in a URI for a CGI on host b.com.  User
   agent implementors are strongly encouraged to prevent this sort of
   exchange whenever possible.

-- 
Ari							there is no spoon
-------------------------------------------------------------------------
http://www.nebcorp.com/~regs/pgp for PGP public key
Received on Thursday, 4 May 2000 16:44:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:24 GMT