W3C home > Mailing lists > Public > www-talk@w3.org > March to April 1995

Re: Session tracking

From: Larry Masinter <masinter@parc.xerox.com>
Date: Thu, 20 Apr 1995 21:06:59 PDT
To: montulli@netscape.com
Cc: www-talk@www10.w3.org
Message-Id: <95Apr20.210711pdt.2761@golden.parc.xerox.com>
> This is a necessary feature for any large site wishing to make use
> of cookies.  Since you often want to run multiple machines this
> allows the cookie to be shared among those multiple machines.  For
> instance you may want have all your shopping pages an a machine
> that only serves static pages and then have the acually buying or
> checkout process on another machine that is specifically geared
> for cgi processing.

I think somehow that the sites have to tell you which cookies they're
willing to take; there's no way that a client should trust site A to
tell it that site B will take it's cookies. Otherwise, malicious site
A might tell the client to send A's cookies to B. This could be done
even in a site that had a common prefix, e.g., user.dorm.bigstate.edu
might start sending bad cookies to administration.bigstate.edu; even
though they had the same double-dot suffix.

Perhaps we need a HTTP reply code 'GIVE COOKIE site', e.g., where the
server says that it is willing to take cookies that were originally
given by the particular site.
Received on Friday, 21 April 1995 00:07:29 UTC

This archive was generated by hypermail 2.4.0 : Monday, 20 January 2020 16:08:16 UTC