- From: Sebastian Kamp <kamp@ti.informatik.uni-kiel.de>
- Date: Sun, 5 Aug 2001 11:16:30 +0200
- To: <www-p3p-dev@w3.org>, <www-p3p-policy@w3.org>
On Friday 03 August 2001 18:11, Lorrie Cranor wrote: > > ... > > Is it correct that the only way then to associate a lifetime to a policy > > (other than 24-hours) is by putting it into a POLICIES element? > > If this was true, I'd find it somehow inconvenient. > > Correct. Ok, let me pose an explicit question then. Why is this so? What is the advantage of this solution? > > > user agents MUST use only non-expired policies > > > and policy reference files when evaluating new set-cookie events." > > > > This is confusing. Maybe I am wrong, but isn't setting a cookie (or > > rather letting it set) is actually harmless? I think sending a cookie > > (back to the domain which set it) is the crucial moment. The policies and > > policy references involved should not be expired the moment we *send* a > > > > cookie. > > > > Since there could elapse quite a period of time between these two events, > > I think this is an important difference. > > while it is true that setting the ciikie is harmless, most user > agents evaluate cookies at the time they are set. You may evaluate > them again before sending them, but certainly if the policy has > expired already when the cookie is set, it will still be expired at a later > time when it might be sent. The point of this sentence was that > if the only policy you know that applies to a cookie has already > expired when you get a set-cookie event, then you can't use it. The last sentence is self-evident. My point is: the moment you send a cookie is the moment to make sure a policy applying is still valid, the moment a cookie is set is irrelevant. This statement is meant as an opinion as well as an implied question to this list. Do you share this view or does anybody have another understanding of this? > Lorrie Regards Sebastian -------------------------------------------------------
Received on Sunday, 5 August 2001 05:18:17 UTC