[2429] in WWW Security List Archive
Re: cookies and privacy
daemon@ATHENA.MIT.EDU (Seth I. Rich)
Wed Jul 17 15:52:12 1996
From: "Seth I. Rich" <seth@hygnet.com>
To: dmk@allegra.att.com (Dave Kristol)
Date: Wed, 17 Jul 1996 13:28:49 -0400 (EDT)
Cc: seth@hygnet.com, www-security@ns2.rutgers.edu
In-Reply-To: <9607171638.AA17372@zp> from "Dave Kristol" at Jul 17, 96 12:38:49 pm
Errors-To: owner-www-security@ns2.rutgers.edu
> > I've just read this, and I apologize if this is the wrong forum for me to
> > make my comments. The first thing I notice is that this draft maintains
> > the (IMO) absurd practice of deleting a cookie by expiring it into the
> > past. Wouldn't it be better to remedy that now with a "delete-cookie:"
> > HTTP header?
>
> There's generally a reluctance to add new HTTP headers. Furthermore,
> the original Netscape implementation used the expires-in-the-past
> mechanism. So for compatibility we did the same.
I'm not convinced by this argument, though. Yes, expires-in-the-past
should work, for backwards compatibility. But if the "cookie" thing is
going to be enshrined as a standard, shouldn't there be a -real- way to
delete a cookie, one which doesn't depend on the time settings on the
clients' machines?
Seth
---------------------------------------------------------------------------
Seth I. Rich - seth@hygnet.com "Info-Puritan elitist crapola!!"
Systems Administrator / Webmaster, HYGNet (pbeilard@direct.ca)
Rabbits on walls, no problem.
