- From: Dave Kristol <dmk@bell-labs.com>
- Date: Thu, 19 Jun 1997 15:02:24 -0400
- To: http-state@lists.research.bell-labs.com
- Cc: http-wg@cuckoo.hpl.hp.com
I've submitted a new Internet Draft to appear soon (I hope):
draft-ietf-http-state-man-mec-02. You can take a look at it now via
<http://portal.research.bell-labs.com/~dmk/cookie-ver.html>. You can
find versions there with change-bars from the previous I-D or from RFC
2109.
This I-D addresses a serious flaw in RFC 2109's wording concerning
third-party cookies and unverifiable transactions that was even more
restrictive than we intended:
When it makes an unverifiable transaction, a user agent must enable
a
session only if a cookie with a domain attribute D was sent or
accepted
in its origin transaction, such that the host name in the
Request-URI of
the unverifiable transaction domain-matches D.
The words "cookie ... in its origin transaction" make it sounds like
we require there to have been a cookie in the origin transaction or else
a session cannot be initiated via an unverifiable transaction (in
addition to the other restrictions).
Koen Holtman and I have batted words around for several weeks now
(seriously slowed by my involvement with LPWA (see <http://lpwa.com>)),
but things have finally stabilized enough for me to attend to this loose
end.
Dave Kristol
P.S. Although I've Cc-ed http-wg as a courtesy, let's try to keep
discussion on http-state.
Received on Thursday, 19 June 1997 12:05:53 UTC