Full Disclosure mailing list archives
Re: Multiple Cookies combined to a single Set-Cookie response
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Fri, 20 Mar 2009 10:00:10 +0100
Could anyone put in any thoughts on this...
That's a weird question for full-disclosure@ - but yeah, your observations are correct - see the intro text and first bullet here: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies In general, cookie support is a mess to an extent higher than many other mechanisms. There is an original, half-baked draft from Netscape that reflects bulk of current cookie behavior most accurately; RFC 2109, which attempted to sort it out, but is widely disregarded on most counts, though with some exceptions; and RFC 2965, flat out ignored by most browsers. Every browser has an implementation based on their best reading of these three documents, but each implementation is unique. Multiple cookies per Set-Cookie, cookie ordering, quoted-string handling, and host-scoped cookie behavior are the most important differences (all of which have some security consequences, by the way). /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Multiple Cookies combined to a single Set-Cookie response Phani (Mar 19)
- Re: Multiple Cookies combined to a single Set-Cookie response Michal Zalewski (Mar 20)