- From: Koen Holtman <koen@win.tue.nl>
- Date: Thu, 20 Mar 1997 18:48:45 +0100 (MET)
- To: Dave Kristol <dmk@research.bell-labs.com>
- Cc: http-wg@cuckoo.hpl.hp.com
Dave Kristol:
>
>Well, sports fans, there's a new cookie draft. Regrettably, the name
>is draft-ietf-http-state-man-mec-00. (I had wanted it to be
>draft-ietf-http-state-mgmt-06.) I have withdrawn
>draft-ietf-http-state-mgmt-errata-00, which the new draft subsumes.
>
>For the record, I know of two planned changes to the draft already:
>
>1) I'll drop the "same port" requirement. (Cookies can return to any
>port on any host to which they could otherwise legitimately be sent.)
Dropping this requirement opens a significant security hole, because not all
servers on the same host need to be run by the same people. Others have
called this a `marginal case', but I do not want to ignore it: really tiny
sites need security too.
The `same port' requirement that is in the spec now is a little too
restrictive though. I'd be happy if the current
Domain Selection
The origin server's fully-qualified host name must domain-match the
Domain attribute of the cookie. The origin server's port number
must equal the port number of the server that sent the cookie.
gets rewritten to
Domain Selection
The origin server's fully-qualified host name must domain-match the
Domain attribute of the cookie. If the cookie does not explicitely
specify a Domain attribute, the origin server's port number must
equal the port number of the server that sent the cookie.
, but just dropping the port requirement won't do for me.
>Dave Kristol
Koen.
Received on Thursday, 20 March 1997 09:51:05 UTC