Iain Wade wrote: > > Hello, > > I have an evil cookie observation I'd like to share: > > While developing some CGI stuff, I noticed that my browser was sending a > cookie which didn't make sense since I had control of that domain and I > hadn't issues any cookies .. the name "CyberTargetAnonymous" didn't fill > me with confidence either. > > After refreshing my knowledge of cookies at netscapes developer site > below I noticed something strange: > http://developer.netscape.com:80/docs/manuals/communicator/jsguide4/cookies.htm > > In the section "Determining a valid domain" is this little gem: > > <quote> > If the domain attribute matches the end of the fully qualified domain > name of the host, then path matching is performed to determine if > the cookie should be sent. For example, a domain attribute of > royalairways.com matches hostnames anvil.royalairways.com and > ship.crate.royalairways.com. > > Only hosts within the specified domain can set a cookie for a domain. In > addition, domain names must use at least two or three periods. > Any domain in the COM, EDU, NET, ORG, GOV, MIL, and INT categories > requires only two periods; all other domains require at least three > periods. > </quote> > > So my questions are these: > > a) Why would Netscape Communicator 4.7 accept a cookie like this > (invalid -- only two periods): > > .com.au TRUE / FALSE 1264987602 CyberTargetAnonymous > NMN000CDCF833FA08963E9BDBC6CAA59301 Because you are looking at the wrong spec. RFC 2109 (http://www.ietf.org/rfc/rfc2109.txt) is the followup work to the Netscape cookie spec. According to that RFC, this cookie is valid. -Joe
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:27 PDT