- From: Larry Masinter <masinter@parc.xerox.com>
- Date: Thu, 20 Apr 1995 21:06:59 PDT
- To: montulli@netscape.com
- Cc: www-talk@www10.w3.org
> This is a necessary feature for any large site wishing to make use > of cookies. Since you often want to run multiple machines this > allows the cookie to be shared among those multiple machines. For > instance you may want have all your shopping pages an a machine > that only serves static pages and then have the acually buying or > checkout process on another machine that is specifically geared > for cgi processing. I think somehow that the sites have to tell you which cookies they're willing to take; there's no way that a client should trust site A to tell it that site B will take it's cookies. Otherwise, malicious site A might tell the client to send A's cookies to B. This could be done even in a site that had a common prefix, e.g., user.dorm.bigstate.edu might start sending bad cookies to administration.bigstate.edu; even though they had the same double-dot suffix. Perhaps we need a HTTP reply code 'GIVE COOKIE site', e.g., where the server says that it is willing to take cookies that were originally given by the particular site.
Received on Friday, 21 April 1995 00:07:29 UTC