Re: errata for cookie spec

-----BEGIN PGP SIGNED MESSAGE-----

>         As a WWW developer since 1994, I was relieved by the arrival of
> cookies as a client state storage mechanism. No longer would I degrade
> performance or double app development time by having a dozen HTML files
> returned by a separate CGI, merely to preserve the PATH_INFO or QUERY_STRING
> stored state in every URL embedded in the returned file, just to preserve
> the user's entered name from the first application page to the last, where
> we say "Goodbye, <name>.". Then we began to use cookies to store Java applet
> state between invocations. Client state storage is now a cornerstone for
> most serious applications. Suggestions from the UA that the user turn off
> cookies for "security" merely break these apps, while keeping failing to
> keep any info "private".

Misinformation about the privacy risks of cookies is very damaging to 
the many legitimate applications that require them. However, I know
of _no_ case where as an application developer or a user I would want 
a user-agent to send cookies to a domain that does not match that of 
the enclosing document.

This should be configurable of course, perhaps with the ability to block
cookies to particular sites.

Maintaining privacy does _not_ break legitimate apps, in fact it makes them
less likely to break. Currently, many people turn off cookies altogether
in fear of the privacy risks. Certainly that will break cookie-requiring
apps.

- -- 
=-----------------------------------------------------------------------= 
Jeremey Barrett                                  VeriWeb Internet Corp.
Senior Software Engineer                         http://www.veriweb.com/

PGP Key fingerprint =  3B 42 1E D4 4B 17 0D 80  DC 59 6F 59 04 C3 83 64
=-----------------------------------------------------------------------=

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBMvpByi/fy+vkqMxNAQFOwwP/V3OlxdLz7lSH3Xz+31+GvKuTPHd2bzX/
qNVyjAI+xpGI3NQBvB4ewCLSDQX4eyR+coJU7oFpJt7nnDJjpWxBUwWadmiO8VzI
hj7laiSR/w6XlyiopSBprorWo2bPUOHoT9GZjaHr6hanLMk0JCgHHF/C4mxqZlSW
iFXWzmnZU0Y=
=DKrt
-----END PGP SIGNATURE-----

Received on Thursday, 6 February 1997 15:41:00 UTC