- From: Koen Holtman <koen@win.tue.nl>
- Date: Thu, 26 Sep 1996 16:21:33 +0200 (MET DST)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
- Cc: Koen Holtman <koen@win.tue.nl>
I recently started using the `show an alert before accepting a cookie' option in NetScape 3.0, and found that many Apache servers on the net wanted to send me a cookie. I asked a local Apache (1.0.3) server operator why his server was trying to tag a cookie on me (which is considered extremely rude by Dutch standards). He was not aware that it did; he did not even know what a cookie was. Question: Does Apache send cookies in its default configuration? If so, I'm very concerned about this. Apart from making server operators (who should have known better?) look bad, it breaks the privacy safeguards present in the state management draft (draft-ietf-http-state-mgmt-03.txt). The privacy model we used depends on there being a percentage of `watchdog users' which have cookie notification enabled in their browser, and which complain if they come across a site which uses cookies inappropriately. If NN% of all installed servers start sending cookies, it will become impossible for the `watchdog users' to filter the real cookie abuse from the noise of unintended cookie use, and the whole privacy system breaks down. Koen.
Received on Thursday, 26 September 1996 07:30:42 UTC