Sprach Joachim Feise <jfeiseat_private>: > > a) Why would Netscape Communicator 4.7 accept a cookie like this > > (invalid -- only two periods): > > > > .com.au TRUE / FALSE 1264987602 CyberTargetAnonymous > > NMN000CDCF833FA08963E9BDBC6CAA59301 > > > Because you are looking at the wrong spec. > RFC 2109 (http://www.ietf.org/rfc/rfc2109.txt) is the followup work to the > Netscape cookie spec. > According to that RFC, this cookie is valid. Umm. I've been working on a web site that involves cookies for about half a year now. Originally we coded our cookies to the rfc2109 spec, and discovered that (apparently) there are no existing browsers which support them. Specifically, the Max-Age field was the tripping stone (rfc2109 disallows the use of the Expires field, and replaces it with a Max-Age field, see section 4.2.2 -- yes, we use HTTP/1.1 throughout). We tried all versions of Internet Explorer on the PC and Macintosh, all versions of Netscape from 4.08 through 4.7 (and a beta 5.0) on Win95 and Linux, one of the AOL browsers (I have no clue which version), and Opera 3.60.0.286 on Win95. It doesn't help that every browser we tested which claims (in the protocol) to use HTTP/1.1 violates the spec in one or more ways. We have yet to find a browser that supports rfc2109 cookies. If I had to guess at the original problem mentioned in this thread, I'd say that .com.au actually does have 3 dots in it. The real domain is .com.au. (notice the trailing dot). All FQDNs end in a trailing dot. However, that clearly violates the intent behind the restriction. On the other hand, bugs in the domain verification of cookies are dirt common, so this could be allowed because it's a bug. -- Jon Paul Nollmann ne' Darren Senn sinsterat_private Unsolicited commercial email will be archived at $1/byte/day. "Even a fool, when he holdeth his peace, is counted wise." Proverbs 17:28
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:44 PDT