- From: Lou Montulli <montulli@mozilla.com>
- Date: Tue, 20 Feb 1996 13:22:00 -0800
- To: Shel Kaphan <sjk@amazon.com>
- Cc: Koen Holtman <koen@win.tue.nl>, http-caching@pa.dec.com, state@xent.w3.org
Shel Kaphan wrote: > > Koen Holtman writes: > > Shel Kaphan: > > >If a cache operator has loosened the rules on returning expired > > >documents (which I am given to understand does sometimes happen), and > > >if the cache has stored a document with associated set-cookie headers, > > >then there could be a real security issue -- people could get other > > >people's cookies. > > > > Yes, this is a potential problem. We have been through this issue of > > caches not complying to the Expires header definition before, and I > > would really like to avoid doing it again. > > > > I agree -- that's not the focus of my comment. I just wanted to point > out that given the reality of that situation, there's an unsolved security > problem with cookies. (Lou, is Netscape still paying a bounty to > people who notice security problems?) Yes we are, but only for problems in our products. Our proxy server doesn't cache set-cookie headers or their coresponding documents, so I believe we don't currently have a problem. :lou -- Lou Montulli http://www.netscape.com/people/montulli/ Netscape Communications Corp.
Received on Tuesday, 20 February 1996 22:08:12 UTC