WebApp Sec mailing list archives
Re: Cookies sent to different ports?
From: CFW <cfw_security () comcast net>
Date: Thu, 16 Dec 2004 12:17:29 -0500
Martin Mačok wrote:
The RFC that you reference talks about the Set-Cookie2 header and its options. Is that header supported by modern browsers? Or, have those options become part of the standard Set-Cookie definition?On Tue, Dec 14, 2004 at 03:24:14PM -0500, CFW wrote:- a user goes to a web server running at http://host:12345/, - host:12345 responds with a Set-Cookie: ... , PATH=/ - user/browser goes to http://host:54321/ (same host as above)Someone (thanks Matt) looked in to this for me a little and it turns out that this is required by the RFC, cookies are tied to host and protocol (HTTP or HTTPS, though I think this is only sometime true through use of the "secure" cookie tag), not to port.You could restrict the cookie to the port too. It's in the same RFC (RFC-2965 HTTP State Management Mechanism): [..] Port[="portlist"] OPTIONAL. The Port attribute restricts the port to which a cookie may be returned in a Cookie request header. Note that the syntax REQUIREs quotes around the OPTIONAL portlist even if there is only one portnum in portlist. [..] Martin Mačok IT Security Consultant
Chuck
Current thread:
- Cookies sent to different ports? CFW (Dec 15)
- Re: Cookies sent to different ports? Martin Mačok (Dec 16)
- Re: Cookies sent to different ports? CFW (Dec 20)
- <Possible follow-ups>
- RE: Cookies sent to different ports? Michael Silk (Dec 16)
- Re: Cookies sent to different ports? Martin Mačok (Dec 16)