Re: Cookies sent to different ports?

[Martin Mačok <martin.macok () underground cz>]

On Tue, Dec 14, 2004 at 03:24:14PM -0500, CFW wrote:

> - a user goes to a web server running at http://host:12345/,
> - host:12345 responds with a Set-Cookie: ... , PATH=/
> - user/browser goes to http://host:54321/ (same host as above)

> Someone (thanks Matt) looked in to this for me a little and it turns 
> out that this is required by the RFC, cookies are tied to host and 
> protocol (HTTP or HTTPS, though I think this is only sometime true 
> through use of the "secure" cookie tag), not to port.

You could restrict the cookie to the port too. It's in the same
RFC (RFC-2965 HTTP State Management Mechanism):

[..]

   Port[="portlist"]
      OPTIONAL.  The Port attribute restricts the port to which a cookie
      may be returned in a Cookie request header.  Note that the syntax
      REQUIREs quotes around the OPTIONAL portlist even if there is only
      one portnum in portlist.

[..]

Martin Mačok
IT Security Consultant