> > Cookies cannot be read from a different domain than where
> > they are set. This is a security precaution built into the
> > cookie specification.
>
> Then what exactly in the Domain attribute for in cfcookie?
It allows the same cookie to be returned to any server within that domain.
By default, cookies are only returned to the specific host which set them.
> I'm not quite sure where the security hazard comes in either.
> I can create any cookie for any domain I want manually on my
> own machine, so there's no security with cookies anyway.
The security risk isn't all that great, but it could be a potential privacy
intrusion. For example, let's say you visit "bigbutts.com". It sets a cookie
that can be returned to bigbutts.com and to noneofmybusiness.com. You later
go to noneofmybusiness.com, and your browser sends the cookie, thus
identifying itself as having visited bigbutts.com. You may object to that.
There's an alternative way of tracking users across servers, which also
requires the coordination of those servers. This is to reference an image on
the other server, which can then set a cookie when that image is requested
by the browser. This is why your browser has an option to only accept
cookies from the server from which you're actually requesting your page.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
