[2433] in WWW Security List Archive
Re: cookies and privacy
daemon@ATHENA.MIT.EDU (Dave Kristol)
Wed Jul 17 18:58:46 1996
Date: Wed, 17 Jul 96 16:23:04 EDT
From: dmk@allegra.att.com (Dave Kristol)
To: seth@hygnet.com
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
"Seth I. Rich" <seth@hygnet.com> wrote:
> > [dmk wrote:]
> > There's generally a reluctance to add new HTTP headers. Furthermore,
> > the original Netscape implementation used the expires-in-the-past
> > mechanism. So for compatibility we did the same.
>
> I'm not convinced by this argument, though. Yes, expires-in-the-past
> should work, for backwards compatibility. But if the "cookie" thing is
> going to be enshrined as a standard, shouldn't there be a -real- way to
> delete a cookie, one which doesn't depend on the time settings on the
> clients' machines?
Well, actually we (authors) partly agree. The I-D actually calls for a
Max-Age attribute for new cookies which is a delta and thus not
affected by client machines' clocks.
Dave Kristol
