PATCH: Cookies for fully-qualified subdomains

Dawit A. adawit at kde.org
Wed Dec 3 00:50:55 GMT 2003


On Tuesday 02 December 2003 17:30, John Firebaugh wrote:
> On Monday 01 December 2003 10:51, Dawit A. wrote:
> > On Tuesday 02 December 2003 01:25, John Firebaugh wrote:
> > > This patch fixes the following:
> > >
> > > dcop kcookiejar kcookiejar addCookies 'http://www.foo.com/' \
> > >    'Set-Cookie: FOO=bar; domain=.www.foo.com' 100
> >
> > This is illegal. 'www.foo.com' is not allowed to set a cookie for any of
> > its sub domains! Even subdomains are only allowed to set cookie for their
> > immediate top-level domain, i.e. 'subdomain.www.foo.com' can set cookie
> > for '.www.foo.com', but not for '.foo.com'. So as not to completely
> > discard such invalid cookies, the cookiejar will accept the above cookie,
> > but it will compeltely ignore the "domain=" parameter. This means the
> > cookie will only be sent to the actual host (www.foo.com) that set it in
> > the first place.
>
> How do you explain the following then?

Ahhh... I withdraw my objection then. I forgot that we completely ignore the 
cookie specification on this issue. Sending cookies to sub-domains is only 
troublesome if and when two sub-domains, e.g. 'a.foo.com' & 'b.foo.com', are 
owned by two completely different entities. The likelyhood of this is very 
small (perhaps only hosted sites). My basis for objecting was the cookie 
specifications, RFC 2109 & 2965, both state:

"The value for the request-host does not domain-match the Domain attribute."

Your patch will violates the above by promoting the domain of 'www.foo.com' to 
'.www.foo.com' and make it possible for subdomains to match it. However, 
since we do that for other circumstances anyway, there is no need to deny 
what your patch suggests.

-- 
Regards,
Dawit A.
"Preach what you practice, practice what you preach"




More information about the kde-core-devel mailing list