Re: cookie Port summary

Koen Holtman (koen@win.tue.nl)
Mon, 24 Mar 1997 23:13:46 +0100 (MET)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Yaron Goland: "RE: cookie Port summary"
Previous message: Koen Holtman: "Re: Unverifiable Transactions / Cookie draft"
In reply to: Dave Kristol: "cookie Port summary"
Next in thread: David W. Morris: "Re: cookie Port summary"

Dave Kristol:
>
>Here's my summary and elaboration of the proposal for restricting ports
>in cookies.
[...]
>Comments?

This works for me.  

With a little more work the default could be made more secure (i.e. only
send to the port it came from) in the pure `new cookie' case.  But we are
probably stuck with the `send to all ports' default when being compatible
with `old cookies' sent in a Set-Cookie without a Set-Cookie2.  Some
existing sites which continue sessions on secure pages will rely on this
less-secure default, I think.

>Dave Kristol

Koen.

Next message: Yaron Goland: "RE: cookie Port summary"
Previous message: Koen Holtman: "Re: Unverifiable Transactions / Cookie draft"
In reply to: Dave Kristol: "cookie Port summary"
Next in thread: David W. Morris: "Re: cookie Port summary"