Re: cookie Port summary

Dave Kristol (dmk@research.bell-labs.com)
Mon, 24 Mar 97 16:48:12 EST

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Koen Holtman: "Re: Unverifiable Transactions / Cookie draft"
Previous message: Gregory J. Woodhouse: "Re: cookie Port summary"
Maybe in reply to: Dave Kristol: "cookie Port summary"
Next in thread: Koen Holtman: "Re: cookie Port summary"

"Gregory J. Woodhouse" <gjw@wnetc.com> wrote:
  > > [DMK]
  > > 2) Semantics
  > > Reject cookie if there is a port-list and the original connection was
  > > not to a listed port.
  > >
  > 
  > Even for port 80? I'm not saying this is incorrect, but it is
  > non-intuituve, and will likely confuse a lot of people. Remember, people
  > may wish to share cookies across port 80 and (say) port 8080 and may
  > assume they only have to include 8080 in the port list.
  > 
  > On the other hand, it would certainly be useful to exclude port 80. I
  > don't know.

Even for port 80.  Not all servers run on port 80.  If port-list included
port 80 implicitly, there would be no way to exclude it.  Cookies emitted
from port 8000 would leak to port 80.

Dave Kristol

Next message: Koen Holtman: "Re: Unverifiable Transactions / Cookie draft"
Previous message: Gregory J. Woodhouse: "Re: cookie Port summary"
Maybe in reply to: Dave Kristol: "cookie Port summary"
Next in thread: Koen Holtman: "Re: cookie Port summary"