You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by will trillich <wi...@serensoft.com> on 2001/06/29 18:58:50 UTC
setting httpd cookie domains
----- Forwarded message from will trillich <wi...@serensoft.com> -----
From: will trillich <wi...@serensoft.com>
Date: Tue, 1 May 2001 21:58:41 -0500
To: debian-user@lists.debian.org
Subject: OT -- setting httpd cookies
Pointers welcome, of course, to which FM i should R:
In setting cookies via cgi or whatever, there's rules on
having to include at least two portions of your domain in the
cookie, such as for hyperarchive.lcs.mit.edu the minimum
domain allowable would be mit.edu, right? But you still have to
put the two dots in, as for example, ".mit.edu".
Would this allow cookies from "smith.mit.edu" and "www.mit.edu"
AND "mit.edu" to be set properly? Or would they go into the bit
bucket, for greenpeace-friendly recycling?
Or for more hypothetical instance, cpu.subnet.org.tld can set
cookies with domain=".org.tld" and so can "www.org.tld" but can
plain old prefix-challenged "org.tld" work cookies, in this case?
--
I'd concentrate on "living in the now" because it is fun
and on building a better world because it is possible.
- Tod Steward
will@serensoft.com
http://sourceforge.net/projects/newbiedoc -- we need your brain!
http://www.dontUthink.com/ -- your brain needs us!
RE: setting httpd cookie domains
Posted by David Harris <dh...@drh.net>.
David Harris <dh...@drh.net> wrote:
> These two should answer your question.
You may also need to read section 4.3.4, "Sending Cookies to the Origin
Server," to determine what cookies will be sent to what servers.
The criteria you are probably looking for is this:
}} The origin server's fully-qualified host name must
}} domain-match the Domain attribute of the cookie.
David
RE: setting httpd cookie domains
Posted by David Harris <dh...@drh.net>.
will trillich <wi...@serensoft.com> wrote:
> Pointers welcome, of course, to which FM i should R:
>
> In setting cookies via cgi or whatever, there's rules on
> having to include at least two portions of your domain in the
> cookie, such as for hyperarchive.lcs.mit.edu the minimum
> domain allowable would be mit.edu, right? But you still have to
> put the two dots in, as for example, ".mit.edu".
>
> Would this allow cookies from "smith.mit.edu" and "www.mit.edu"
> AND "mit.edu" to be set properly? Or would they go into the bit
> bucket, for greenpeace-friendly recycling?
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2109.html
Here is how to compare domains from section two in the document:
}} Hosts names can be specified either as an IP address or a FQHN
}} string. Sometimes we compare one host name with another. Host
}} A's name domain-matches host B's if
}}
}} * both host names are IP addresses and their host
}} name strings match exactly; or
}}
}} * both host names are FQDN strings and their host
}} name strings match exactly; or
}}
}} * A is a FQDN string and has the form NB, where N
}} is a non-empty namestring, B has the form .B', and
}} B' is a FQDN string. (So, x.y.com domain-matches
}} .y.com but not y.com.)
}}
}} Note that domain-match is not a commutative operation:
}} a.b.c.com domain-matches .c.com, but not the reverse.
Here is section 4.3.2 which specifies under what criteria a user agent
should reject a cookie:
}} * The value for the Domain attribute contains
}} no embedded dots or does not start with a dot.
}}
}} * The value for the request-host does not
}} domain-match the Domain attribute.
These two should answer your question.
David Harris
President, DRH Internet Inc.
dharris@drh.net
http://www.drh.net/