new cookie I-D submitted

Dave Kristol (dmk@bell-labs.com)
Thu, 19 Jun 1997 15:02:24 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Koen Holtman: "Re: Transient content negotiation"
Previous message: Koen Holtman: "Re: COMMENT: LAST CALL comment"

I've submitted a new Internet Draft to appear soon (I hope):
draft-ietf-http-state-man-mec-02.  You can take a look at it now via
<http://portal.research.bell-labs.com/~dmk/cookie-ver.html>.  You can
find versions there with change-bars from the previous I-D or from RFC
2109.

This I-D addresses a serious flaw in RFC 2109's wording concerning
third-party cookies and unverifiable transactions that was even more
restrictive than we intended:

    When it makes an unverifiable transaction, a user agent must enable
a
    session only if a cookie with a domain attribute D was sent or
accepted
    in its origin transaction, such that the host name in the
Request-URI of
    the unverifiable transaction domain-matches D.

The words "cookie ... in its origin transaction" make it sounds like
we require there to have been a cookie in the origin transaction or else
a session cannot be initiated via an unverifiable transaction (in
addition to the other restrictions).

Koen Holtman and I have batted words around for several weeks now
(seriously slowed by my involvement with LPWA (see <http://lpwa.com>)),
but things have finally stabilized enough for me to attend to this loose
end.

Dave Kristol

P.S.  Although I've Cc-ed http-wg as a courtesy, let's try to keep
discussion on http-state.

Next message: Koen Holtman: "Re: Transient content negotiation"
Previous message: Koen Holtman: "Re: COMMENT: LAST CALL comment"