On Wed, 19 Mar 1997, David W. Morris wrote: > I think the same port requirement makes no sense unless the set-cookie > included a port specification. After all, allowing a cookie to be > shared between x.y.com and w.y.com which are likely to be two machines > but not between x.y.com:80 and x.y.com:8080 which most likely will be > one machine and under a tighter span of control seems like a misdirected > concern. Hence, I would propose removing the port match requirement. I agree with your point above. I think the rationale was that high-port servers could be run by users and that any user could thereby capture cookies intended for a low-port (root-run) server. Marginal case. M. Hedlund <hedlund@best.com>Received on Wednesday, 19 March 1997 16:02:54 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:01 UTC