PATCH: Cookies for fully-qualified subdomains

Ingo Klöcker kloecker at kde.org
Thu Dec 4 13:43:50 GMT 2003


On Wednesday 03 December 2003 01:50, Dawit A. wrote:
> On Tuesday 02 December 2003 17:30, John Firebaugh wrote:
> > On Monday 01 December 2003 10:51, Dawit A. wrote:
> > > On Tuesday 02 December 2003 01:25, John Firebaugh wrote:
> > > > This patch fixes the following:
> > > >
> > > > dcop kcookiejar kcookiejar addCookies 'http://www.foo.com/' \
> > > >    'Set-Cookie: FOO=bar; domain=.www.foo.com' 100
> > >
> > > This is illegal. 'www.foo.com' is not allowed to set a cookie for
> > > any of its sub domains! Even subdomains are only allowed to set
> > > cookie for their immediate top-level domain, i.e.
> > > 'subdomain.www.foo.com' can set cookie for '.www.foo.com', but
> > > not for '.foo.com'. So as not to completely discard such invalid
> > > cookies, the cookiejar will accept the above cookie, but it will
> > > compeltely ignore the "domain=" parameter. This means the cookie
> > > will only be sent to the actual host (www.foo.com) that set it in
> > > the first place.
> >
> > How do you explain the following then?
>
> Ahhh... I withdraw my objection then. I forgot that we completely
> ignore the cookie specification on this issue. Sending cookies to
> sub-domains is only troublesome if and when two sub-domains, e.g.
> 'a.foo.com' & 'b.foo.com', are owned by two completely different
> entities. The likelyhood of this is very small (perhaps only hosted
> sites).

Is it very small? Note that in many countries domains look like this:
a.co.uk, b.co.uk, etc., where .co.uk is the equivalent for .com for 
commercial sites in UK. a.co.uk and b.co.uk are completely different 
domains. They are not just two sub-domains of the co.uk domain.

Also a leading www is omitted by more and more sites because it's really 
unnecessary. After all the protocol is defined by the port and not by 
the prepended www. Therefore this might very well be a problem because 
you'll surely agree that cookies from a.co.uk must never be sent to 
b.co.uk. Maybe I've missed something and this is still no big problem.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20031204/ea1c7e12/attachment.sig>


More information about the kde-core-devel mailing list