* Ted Lemon: > It's kind of assumed that you would be aware of these issues, I guess.
But hardly anybody seems to be. > Lots of web sites use cookies to associate a session with a > particular user. With cross-site cookie theft, a malicious web site > can gain access to your session cookie even if it was protected by > https encryption when you were talking to the legitimate site. Yes, but that's why cookies are associated with the host name of the incoming request. The cookie set operation controls which domains can read the cookie. No special data is required for that. What's happening here is that a restriction is placed on the largest possible subtree for which you can set a cookie. Failure to do this does not grant read access to arbitrary cookies in itself. But as I wrote, it might expose session fixation problems. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
