- From: Ari Gordon-Schlosberg <regs@nebcorp.com>
- Date: Thu, 4 May 2000 15:44:02 -0500
- To: "'www-talk@w3.org'" <www-talk@w3.org>
[Xiaolin Jiang <Xiaolin@Icarian.com>]
> Hi,
>
> Is it possible to get cookies which has been set by other company's web
> server ? By talking to some people, it sounds like it is possible, but it is
> not recommended. Could anybody tell me how to do that with servlet ? And
> also want to know the future direction regarding this issue.
No. If you can, it's a bug. The user agent is not supposed to allow that
to happen.
From 4.3.4 of RFC 2099:
4.3.4 Sending Cookies to the Origin Server
When it sends a request to an origin server, the user agent sends a
Cookie request header to the origin server if it has cookies that are
applicable to the request, based on
* the request-host;
* the request-URI;
* the cookie's age
...
The following rules apply to choosing applicable cookie-values from
among all the cookies the user agent has.
Domain Selection
The origin server's fully-qualified host name must domain-match
the Domain attribute of the cookie.
Path Selection
The Path attribute of the cookie must match a prefix of the
request-URI.
Max-Age Selection
Cookies that have expired should have been discarded and thus
are not forwarded to an origin server.
And 8.3 specifically prohibits "cookie sharing":
8.3 Unexpected Cookie Sharing
A user agent should make every attempt to prevent the sharing of
session information between hosts that are in different domains.
Embedded or inlined objects may cause particularly severe privacy
problems if they can be used to share cookies between disparate
hosts. For example, a malicious server could embed cookie
information for host a.com in a URI for a CGI on host b.com. User
agent implementors are strongly encouraged to prevent this sort of
exchange whenever possible.
--
Ari there is no spoon
-------------------------------------------------------------------------
http://www.nebcorp.com/~regs/pgp for PGP public key
Received on Thursday, 4 May 2000 16:44:09 UTC