Re: Session tracking

Larry Masinter ([email protected])
Fri, 21 Apr 1995 00:17:35 +0500


> This is a necessary feature for any large site wishing to make use
> of cookies. Since you often want to run multiple machines this
> allows the cookie to be shared among those multiple machines. For
> instance you may want have all your shopping pages an a machine
> that only serves static pages and then have the acually buying or
> checkout process on another machine that is specifically geared
> for cgi processing.

I think somehow that the sites have to tell you which cookies they're
willing to take; there's no way that a client should trust site A to
tell it that site B will take it's cookies. Otherwise, malicious site
A might tell the client to send A's cookies to B. This could be done
even in a site that had a common prefix, e.g., user.dorm.bigstate.edu
might start sending bad cookies to administration.bigstate.edu; even
though they had the same double-dot suffix.

Perhaps we need a HTTP reply code 'GIVE COOKIE site', e.g., where the
server says that it is willing to take cookies that were originally
given by the particular site.