ajr on cookies

From: flaps @ dgp.toronto.edu (Alan J Rosenthal)
Newsgroups: comp.infosystems.www.authoring.cgi
Subject: Re: Universal Cookies - Something new or not true?
Date: 31 Oct 1997 21:05:14 GMT
Message-ID: <878331912.916784@moon.aa.net>
References: <34599a04.2771811@news1lo.highwayone.net>

>I've been hearing from a couple of people that ought to know that it
>*is* possible to set a cookie on a client machine from one site and
>have it read from another site, one that is not the same domain name
>as the other.

My answer is: yes it is. But the answer depends on what you mean by "domain name". Certainly it is possible to do it with a different web server running on a different machine.

>That is - Set a cookie on www.sun.com and have it read by one on
>www.moon.com

No, that particular pair is not possible. (Assuming you mean "set a cookie from a web server on www.sun.com...".)

They have to share the last two hostname components, if the top-level domain is one of the "big seven" (including .com, .edu, and .net), or the last three otherwise. In fact, http://home.netscape.com/newsref/std/cookie_spec.html gives the example that a web server at anvil.acme.com can register a cookie with domain acme.com and that this cookie will be sent to a web server shipping.crate.acme.com.

This rule for what is a "domain" for cookie security purposes certainly does not prevent all situations in which data can be registered by one server and sent to a totally unrelated server, a server not even in the same organization. You can't register a cookie domain of "com", but you can register a cookie with a domain of "toronto.edu", which could cover such diverse entities as www.dgp.toronto.edu, flaps.dialup.cs.toronto.edu, www.psych.toronto.edu, unethical-startup-company.somewhere.toronto.edu. Similarly, you could register a cookie for "freds-isp.com" if you run a web server at "www.brian.podunk.nowhere.freds-isp.com".

>Is this something new (implemented on later browsers) and something I
>missed or are they talking bullsh*t?

Neither. The restrictions are much looser than some people realize, but there have not been any changes.

[index of some articles by ajr]