mailing list archives
Re: Evil Cookies.
From: jfeise () ICS UCI EDU (Joachim Feise)
Date: Thu, 3 Feb 2000 14:44:57 -0800
Iain Wade wrote:
I have an evil cookie observation I'd like to share:
While developing some CGI stuff, I noticed that my browser was sending a
cookie which didn't make sense since I had control of that domain and I
hadn't issues any cookies .. the name "CyberTargetAnonymous" didn't fill
me with confidence either.
After refreshing my knowledge of cookies at netscapes developer site
below I noticed something strange:
In the section "Determining a valid domain" is this little gem:
If the domain attribute matches the end of the fully qualified domain
name of the host, then path matching is performed to determine if
the cookie should be sent. For example, a domain attribute of
royalairways.com matches hostnames anvil.royalairways.com and
Only hosts within the specified domain can set a cookie for a domain. In
addition, domain names must use at least two or three periods.
Any domain in the COM, EDU, NET, ORG, GOV, MIL, and INT categories
requires only two periods; all other domains require at least three
So my questions are these:
a) Why would Netscape Communicator 4.7 accept a cookie like this
(invalid -- only two periods):
.com.au TRUE / FALSE 1264987602 CyberTargetAnonymous
Because you are looking at the wrong spec.
RFC 2109 (http://www.ietf.org/rfc/rfc2109.txt) is the followup work to the
Netscape cookie spec.
According to that RFC, this cookie is valid.