RE: Issues with the cookie draft

On Sat, 22 Mar 1997, Yaron Goland wrote:
> I'll come up with a rule to handle your cases as soon as you come up
> with a rule to allow me to share cookies across:
> The current spec prevents sharing cookies amongst those servers. That
> does not seem terribly reasonable.

I agree that it would be desirable to allow this functionality, and I
concede that we as a group were not able to come up with such a rule (which
I think Lou Montulli also raised as desirable in some cases).  My point
about arbitrariness was that we didn't find a way to determine what was a
company/organization name versus what was a "top"-level domain -- in other
words, the rules that would satisfy the above cases would necessarily fail
to satisfy the cases I listed.

Since one domain-matching method didn't arise to cover both sets of cases,
we decided in favor of the more conservative method -- the one that at
least made a strong attempt to protect users from cookie broadcasting.  Let
me rephrase my challenge: given that we (you and I, at least) seem to agree
that one organizational unit should have the ability to use cookies across
its internal domains, can you propose a domain matching rule that allows
that feature _without_ creating a cookie-broadcast situation (where a
cookie is available to servers outside of the organizational unit)? 

M. Hedlund <>

Received on Saturday, 22 March 1997 08:18:53 UTC