Re: draft-ietf-http-state-mgmt-01.txt LAST CALL

"Marc Salomon" <> wrote on Thu, 13 Jun 1996 16:07:47 -0700:
  > |4.2.2  Set-Cookie Syntax  The syntax for the Set-Cookie response header is
  > [...]
  > |cookie-av       =       "Domain" "=" value
  > [...]
  > |If an attribute appears more than once in a cookie, the behavior is undefined.
  > Is there any reason to include grammar that didn't preclude sharing a cookie
  > across multiple domains, but specify its behavior explicitly as undefined?

Yes.  In several places we made a point to prevent a cookie from being
shared across multiple domains.  For example, a client rejects a cookie
if the request-host (the server just contacted) does not domain-match
the Domain attribute.  (Section 4.3.2.  Also see section 8.2)  The
issue was privacy, and the intent was to avoid leaking cookies away
from the intended domain.

When the state management subgroup discussed domains, we couldn't think
of applications where a single domain was too restrictive.

Dave Kristol

Received on Friday, 14 June 1996 07:16:05 UTC