- From: <wmperry@spry.com>
- Date: Fri, 21 Apr 95 03:16 PDT
- To: montulli@netscape.com
- Cc: Multiple recipients of list <www-talk@www10.w3.org>
Lou Montulli writes: > On Apr 20, 9:06pm, Larry Masinter wrote: > > Subject: Re: Session tracking > > > This is a necessary feature for any large site wishing to make use > > > of cookies. Since you often want to run multiple machines this > > > allows the cookie to be shared among those multiple machines. For > > > instance you may want have all your shopping pages an a machine > > > that only serves static pages and then have the acually buying or > > > checkout process on another machine that is specifically geared > > > for cgi processing. > > > > I think somehow that the sites have to tell you which cookies they're > > willing to take; there's no way that a client should trust site A to > > tell it that site B will take it's cookies. Otherwise, malicious site > > A might tell the client to send A's cookies to B. This could be done > > even in a site that had a common prefix, e.g., user.dorm.bigstate.edu > > might start sending bad cookies to administration.bigstate.edu; even > > though they had the same double-dot suffix. > > > > Perhaps we need a HTTP reply code 'GIVE COOKIE site', e.g., where the > > server says that it is willing to take cookies that were originally > > given by the particular site. > > > > Opps, I left part of it out of my proposal. > > Only hosts in the specified domain can set cookies for a domain. > > Therefore it is not possible to set a cookie for the B domain > unless you are in the B domain. This doesn't address larry's second point though does it? Or am I misreading this? Am a bit groggy right now - been up with the new baby since about 6:00a this morning. :) -Bill P.
Received on Friday, 21 April 1995 06:15:53 UTC