- From: M. Hedlund <hedlund@best.com>
- Date: Sat, 22 Mar 1997 08:14:32 -0800 (PST)
- To: Yaron Goland <yarong@microsoft.com>
- Cc: Dave Kristol <dmk@research.bell-labs.com>, http-wg@cuckoo.hpl.hp.com
On Sat, 22 Mar 1997, Yaron Goland wrote: > I'll come up with a rule to handle your cases as soon as you come up > with a rule to allow me to share cookies across: > > companyname.com > productname.companyname.com > version1.productname.companyname.com > version2.productname.companyname.com > version3.productname.companyname.com > > The current spec prevents sharing cookies amongst those servers. That > does not seem terribly reasonable. I agree that it would be desirable to allow this functionality, and I concede that we as a group were not able to come up with such a rule (which I think Lou Montulli also raised as desirable in some cases). My point about arbitrariness was that we didn't find a way to determine what was a company/organization name versus what was a "top"-level domain -- in other words, the rules that would satisfy the above cases would necessarily fail to satisfy the cases I listed. Since one domain-matching method didn't arise to cover both sets of cases, we decided in favor of the more conservative method -- the one that at least made a strong attempt to protect users from cookie broadcasting. Let me rephrase my challenge: given that we (you and I, at least) seem to agree that one organizational unit should have the ability to use cookies across its internal domains, can you propose a domain matching rule that allows that feature _without_ creating a cookie-broadcast situation (where a cookie is available to servers outside of the organizational unit)? M. Hedlund <hedlund@best.com>
Received on Saturday, 22 March 1997 08:18:53 UTC