Cookies with same name but different domains

[Mark Diggory <md...@latte.harvard.edu>]

I'm trying to set multiple cookies with the same name and path, but with 
different Domains in a HttpServletResponse. Is this possible? I never see 
anything but the first cookie I add. According to the Sun Servlet Spec, I 
can't do this. But I've see posts suggesting I can. Is this possible with 
Tomcat?


Otherwise, is there a method by which I can set a cookie that will go to 
all domains/paths?

-Mark Diggory

Re: Cookies with same name but different domains

[Mark Diggory <md...@latte.harvard.edu>]

At 11:17 PM 4/10/01 -0500, you wrote:

>Any cookie belongs to a particular server (domain name) - the most general 
>that
>a domain spec is allowed to be is *.foo.com i.e. with a specified TLD and 
>second
>level domain. The path can be anything, i.e. as general as "/" The browser 
>will
>send back all cookies which match, most specific first.
>
>The domain constraint was designed as a privacy measure to prevent snarfing of
>cookie information that came from one site by other sites, and to stop people
>from tracking user behaviour across multiple unrelated sites; the latter of
>course was famously sidestepped by DoubleClick and all the ad banner guys by
>having an image on all participating sites fetched from their own server :-)
>Modern browsers are now starting to appear which have controls to inhibit the
>DoubleClick trick, e.g. only accepting cookies from the server that the main
>page came from.

I figured as much. Which is why I approached setting multiple cookies (one 
for each of the sites I need to get it to, however, the cookie name is the 
same across all these sites, it appears tomcat lets one set multiple 
cookies with the same name but different paths. However, it doesn't seem to 
apply to domain's as well, why can't I set two cookies in the same 
HttpServletResponse with the same name but different domains?

-Mark

Re: Cookies with same name but different domains

[David Crooke <da...@convio.com>]

Any cookie belongs to a particular server (domain name) - the most general that
a domain spec is allowed to be is *.foo.com i.e. with a specified TLD and second
level domain. The path can be anything, i.e. as general as "/" The browser will
send back all cookies which match, most specific first.

The domain constraint was designed as a privacy measure to prevent snarfing of
cookie information that came from one site by other sites, and to stop people
from tracking user behaviour across multiple unrelated sites; the latter of
course was famously sidestepped by DoubleClick and all the ad banner guys by
having an image on all participating sites fetched from their own server :-)
Modern browsers are now starting to appear which have controls to inhibit the
DoubleClick trick, e.g. only accepting cookies from the server that the main
page came from.