- From: Lou Montulli <montulli@netscape.com>
- Date: Thu, 20 Apr 1995 21:18:56 -0700
- To: Larry Masinter <masinter@parc.xerox.com>, montulli@netscape.com
- Cc: www-talk@www10.w3.org
On Apr 20, 9:06pm, Larry Masinter wrote:
> Subject: Re: Session tracking
> > This is a necessary feature for any large site wishing to make use
> > of cookies. Since you often want to run multiple machines this
> > allows the cookie to be shared among those multiple machines. For
> > instance you may want have all your shopping pages an a machine
> > that only serves static pages and then have the acually buying or
> > checkout process on another machine that is specifically geared
> > for cgi processing.
>
> I think somehow that the sites have to tell you which cookies they're
> willing to take; there's no way that a client should trust site A to
> tell it that site B will take it's cookies. Otherwise, malicious site
> A might tell the client to send A's cookies to B. This could be done
> even in a site that had a common prefix, e.g., user.dorm.bigstate.edu
> might start sending bad cookies to administration.bigstate.edu; even
> though they had the same double-dot suffix.
>
> Perhaps we need a HTTP reply code 'GIVE COOKIE site', e.g., where the
> server says that it is willing to take cookies that were originally
> given by the particular site.
>
Opps, I left part of it out of my proposal.
Only hosts in the specified domain can set cookies for a domain.
Therefore it is not possible to set a cookie for the B domain
unless you are in the B domain.
--
Lou Montulli http://www.mcom.com/people/montulli/
Netscape Communications Corp.
Received on Friday, 21 April 1995 00:24:21 UTC