"Ian Abbott" <[EMAIL PROTECTED]> writes: > > To quote from there: > > > > [...] Only hosts within the specified domain can set a cookie for > > a domain and domains must have at least two (2) or three (3) > > periods in them to prevent domains of the form: ".com", ".edu", > > and "va.us". Any domain that fails within one of the seven special > > top level domains listed below only require two periods. Any other > > domain requires at least three. The seven special top level > > domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT". > > > > This is amazingly stupid. > > It seems to make more sense if you subtract one from the number of > periods.
Well, that, too, but I think the idea there is that the cookies matching the entire domain are supposed to begin with a period, as in "domain=.google.com". The truly stupid part is hardcoding the several popular top-level domain names, while there are many more domains that require exactly the same treatment, and more are coming up every day. So the algorithm definitely doesn't work. > Could you assume that all two-letter TLDs are country-code TLDs and > require one more period than other TLDs Nope. www.google.de should be able to set the cookie for google.de no different from what www.google.com does. The same goes for other countries; "www.iskon.hr" should be able to set a cookie for the entire "iskon.hr" domain. When I say "should", I'm not arguing theory -- that kind of stuff has always worked with IE, Netscape, Mozilla, etc. I've encountered this problem when I saw that Wget fail to work with our client's single sign-on service, where other browsers worked perfectly. The problem was that it refused to set the cookie for ".arsdigita.de" because the response was coming from "sso.arsdigita.de".