Re: cookie Port summary

"Gregory J. Woodhouse" <gjw@wnetc.com> wrote:
  > > [DMK]
  > > 2) Semantics
  > > Reject cookie if there is a port-list and the original connection was
  > > not to a listed port.
  > >
  > 
  > Even for port 80? I'm not saying this is incorrect, but it is
  > non-intuituve, and will likely confuse a lot of people. Remember, people
  > may wish to share cookies across port 80 and (say) port 8080 and may
  > assume they only have to include 8080 in the port list.
  > 
  > On the other hand, it would certainly be useful to exclude port 80. I
  > don't know.

Even for port 80.  Not all servers run on port 80.  If port-list included
port 80 implicitly, there would be no way to exclude it.  Cookies emitted
from port 8000 would leak to port 80.

Dave Kristol

Received on Monday, 24 March 1997 13:52:31 UTC