W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1997

Re: Issues with the cookie draft

From: M. Hedlund <hedlund@best.com>
Date: Wed, 19 Mar 1997 15:39:32 -0800 (PST)
To: "David W. Morris" <dwm@xpasc.com>
Cc: http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.SGI.3.95.970319153721.23744E-100000@shellx.best.com>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/2767 

On Wed, 19 Mar 1997, David W. Morris wrote:
> I think the same port requirement makes no sense unless the set-cookie
> included a port specification.  After all, allowing a cookie to be
> shared between x.y.com and w.y.com which are likely to be two machines
> but not between x.y.com:80 and x.y.com:8080 which most likely will be
> one machine and under a tighter span of control seems like a misdirected
> concern. Hence, I would propose removing the port match requirement.

I agree with your point above.  I think the rationale was that high-port
servers could be run by users and that any user could thereby capture
cookies intended for a low-port (root-run) server.  Marginal case.

M. Hedlund <hedlund@best.com>
Received on Wednesday, 19 March 1997 16:02:54 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:01 UTC