- From: רועי ברקאי <roybarkayyosef@gmail.com>
- Date: Thu, 31 Oct 2024 18:11:40 +0200
- To: Yoav Weiss <yoav.weiss@shopify.com>
- Cc: Daniel Stenberg <daniel@haxx.se>, Colin Bendell <colin.bendell@shopify.com>, HTTP Working Group <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@apple.com>
- Message-ID: <CAKGRsAof27UgT5vATSiWVrVSuq6CbmR6-OPO7BZDUAYoZ14tPQ@mail.gmail.com>
In regards to best practices on that you may set a short period as an hour (could be set as max inactive time to logoff in the appserver) and continue sending appends to the cookie to make it loger by that time period every that amount of time. By that you dont let the session continue indefinitely. Also you may also implement a timer for inactive on the client side to send a request to delete a cookie that wasnt used in a x amount of time. in regards to your question I sdont get how the server cant receive it and your goal. A parent domain may delete its subdomain cookies which is a supply chain issue and also a different domain may attempt to delete your coocklies for example your competitor if no security insight would be in place as the browser would delete all cookies with that name which may lead to marketing black hatting. by inducing friction on competitor websites. On Thu, Oct 31, 2024, 12:54 Yoav Weiss <yoav.weiss@shopify.com> wrote: > > > On Thu, Oct 31, 2024 at 11:49 AM רועי ברקאי <roybarkayyosef@gmail.com> > wrote: > >> As a first party coockie holder you may set an expiration date on the >> coockie you have created. >> > > Sure, but since setting an expiration date requires predicting the future, > we need a way to correct past predictions that didn't quite work out. > > >> Allowing cross site coockie deletion would enable issues for users as an >> attacker may remove all mostly used coockie names >> > > Can you expand on that? I wouldn't expect a server to be able to delete > cookies that it can't receive, if that makes sense. > > >> >> On Thu, Oct 31, 2024, 12:39 Yoav Weiss <yoav.weiss@shopify.com> wrote: >> >>> >>> >>> On Thu, Oct 31, 2024 at 11:15 AM Daniel Stenberg <daniel@haxx.se> wrote: >>> >>>> On Thu, 31 Oct 2024, Yoav Weiss wrote: >>>> >>>> > `Delete-Cookie: name1, name2` as an example syntax, which seems >>>> simple >>>> > enough and can get the job done. >>>> >>>> Since cookies are hierchical, it should probably be noted that this >>>> list >>>> identifying 'name1' and 'name2' can in fact match numerous cookies (for >>>> different paths), not just two and there is no way for this syntax to >>>> delete >>>> just a subset of them. >>>> >>> >>> That's true. At the same time, the use case at hand is one where we want >>> to delete cookies when we have no knowledge of their path. >>> So I believe it's fine to delete all matching cookies. >>> >>> +Colin Bendell <colin.bendell@shopify.com> to keep me honest, as he's >>> closer to this work. >>> >>> >>>> >>>> -- >>>> >>>> / daniel.haxx.se >>>> >>>
Received on Thursday, 31 October 2024 16:11:53 UTC