On Sat, 21 Jun 2003, Matthew Darwin wrote: > The LWP behaviour looks like a security problem to me. > > For example, davin.ottawa.on.ca is not related to flora.ottawa.on.ca > So if one sets a cookie the other site can get it? > Very bad. > > Canadian domains are in the form <organization>.<city>.<province>.ca > or <organization>.<province>.ca or <organization>.ca
Cookies are a security problem, not LWP's implementation of them. The behaviour you describe is an long-established part of the Netscape cookie protocol. If you want to have your cookies only sent back to your own domain, don't give any explicit Domain attribute in the Set-Cookie header. Even there, some browsers (MSIE 5) don't require an exact domain string-match (for example, a cookie set by www.foo.com can be returned to rhubarb.www.foo.com). In fact, IIRC, some browsers allow foo.co.uk to set a cookie for the entire .co.uk domain! Don't trust Netscape's 'standard' (cookie_spec.html) further than you can spit it: nobody has ever followed it, and nobody ever will. RFC 2965 (which LWP knows about) is much more clearly defined and better thought through, but hardly anybody uses it (neither IE nor Mozilla implements it -- nor RFC 2109 for that matter). The incentives just aren't there for it to come into widespread use. I've heard rumour that the European Union may pass legislation containing requirements for which P3P (which deals with third party cookies, amongst other things) is insufficient / inappropriate, and hence open a gap that RFC 2965 might fill, but I haven't tried to verify that there is/was any truth in that. There's also the fact that RFC 2965 has unresolved Netscape-protocol (old-style cookies) interoperability issues -- errata were being discussed, but that effort seems to have stalled in the last couple of months. John
