W3C home > Mailing lists > Public > www-talk@w3.org > March to April 1995

Re: Session tracking

From: <wmperry@spry.com>
Date: Fri, 21 Apr 95 03:16 PDT
Message-Id: <m0s2Fkx-00000EC@monolith>
To: montulli@netscape.com
Cc: Multiple recipients of list <www-talk@www10.w3.org>
Lou Montulli writes:
> On Apr 20,  9:06pm, Larry Masinter wrote:
> > Subject: Re: Session tracking
> > > This is a necessary feature for any large site wishing to make use
> > > of cookies.  Since you often want to run multiple machines this
> > > allows the cookie to be shared among those multiple machines.  For
> > > instance you may want have all your shopping pages an a machine
> > > that only serves static pages and then have the acually buying or
> > > checkout process on another machine that is specifically geared
> > > for cgi processing.
> >
> > I think somehow that the sites have to tell you which cookies they're
> > willing to take; there's no way that a client should trust site A to
> > tell it that site B will take it's cookies. Otherwise, malicious site
> > A might tell the client to send A's cookies to B. This could be done
> > even in a site that had a common prefix, e.g., user.dorm.bigstate.edu
> > might start sending bad cookies to administration.bigstate.edu; even
> > though they had the same double-dot suffix.
> >
> > Perhaps we need a HTTP reply code 'GIVE COOKIE site', e.g., where the
> > server says that it is willing to take cookies that were originally
> > given by the particular site.
> >
> Opps, I left part of it out of my proposal.
> Only hosts in the specified domain can set cookies for a domain.
> Therefore it is not possible to set a cookie for the B domain
> unless you are in the B domain.

  This doesn't address larry's second point though does it?  Or am I
misreading this?  Am a bit groggy right now - been up with the new baby
since about 6:00a this morning. :)

-Bill P.
Received on Friday, 21 April 1995 06:15:53 UTC

This archive was generated by hypermail 2.4.0 : Monday, 20 January 2020 16:08:16 UTC