Re: backward compatibility of non-cachable headers

Shel Kaphan wrote:
> 
> Koen Holtman writes:
>  > Shel Kaphan:
>  > >If a cache operator has loosened the rules on returning expired
>  > >documents (which I am given to understand does sometimes happen), and
>  > >if the cache has stored a document with associated set-cookie headers,
>  > >then there could be a real security issue -- people could get other
>  > >people's cookies.
>  >
>  > Yes, this is a potential problem.  We have been through this issue of
>  > caches not complying to the Expires header definition before, and I
>  > would really like to avoid doing it again.
>  >
> 
> I agree -- that's not the focus of my comment.  I just wanted to point
> out that given the reality of that situation, there's an unsolved security
> problem with cookies.   (Lou, is Netscape still paying a bounty to
> people who notice security problems?)

Yes we are, but only for problems in our products.  Our proxy server
doesn't cache set-cookie headers or their coresponding documents, so
I believe we don't currently have a problem.  

:lou
-- 
Lou Montulli                 http://www.netscape.com/people/montulli/
       Netscape Communications Corp.

Received on Tuesday, 20 February 1996 22:08:12 UTC