RFC 2109 <quote> 4.3.2 Rejecting Cookies
To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true: * The value for the Path attribute is not a prefix of the request-URI. </quote> Please correct me if I am wrong but the first point implies that a CGI at the url "/Canada/whatever.asp" may only set cookies with path starting with "/Canada/". Am I misreading the RFC? Evil Comrade Oleg (a.k.a cookie ayatollah) On Thu, Feb 17, 2005 at 10:17:47AM +0100, Roland Weber wrote: > Hi Oleg, > > > A cookie with "/" path attribute may not be > > set from a URL other than "/". > > my understanding is that a cookie with path "/" may be set from any URL > with > path prefix "/". RFC 2109 mentions the prefix requirement in section 4.3.2 > on page 6. So does RFC 2965 in section 3.3.2 on page 8. Unlike with domain > names, there is no "reach" restriction that would prevent a servlet at > /where/ever/it/may/reside to set a cookie for / on that host, which would > be the same as setting a cookie without any path at all. > > cheers, > Roland --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
