- From: M. Hedlund <hedlund@best.com>
- Date: Wed, 19 Mar 1997 15:39:32 -0800 (PST)
- To: "David W. Morris" <dwm@xpasc.com>
- Cc: http-wg@cuckoo.hpl.hp.com
On Wed, 19 Mar 1997, David W. Morris wrote: > I think the same port requirement makes no sense unless the set-cookie > included a port specification. After all, allowing a cookie to be > shared between x.y.com and w.y.com which are likely to be two machines > but not between x.y.com:80 and x.y.com:8080 which most likely will be > one machine and under a tighter span of control seems like a misdirected > concern. Hence, I would propose removing the port match requirement. I agree with your point above. I think the rationale was that high-port servers could be run by users and that any user could thereby capture cookies intended for a low-port (root-run) server. Marginal case. M. Hedlund <hedlund@best.com>
Received on Wednesday, 19 March 1997 16:02:54 UTC