|
 |
asp_web_howto thread: cookies
Message #1 by "Morgan, Rob" <Rob.Morgan@o...> on Fri, 16 Nov 2001 09:33:18 -0500
|
|
got a quick cookie ? for u all and I can't remember if this was possible.
I have different domain names in my organization. If i make a cookie on one
domain can I read it from another domain? I want the user travel around
our domain names and let different application use the same cookie
information?
Thanks
Rob
Message #2 by Mark Eckeard <meckeard2000@y...> on Fri, 16 Nov 2001 07:19:42 -0800 (PST)
|
|
Rob,
A cookie is specific to the browser/machine. If the
user uses the same browser to view both sites, and the
code is in both to read the cookie, then yes, it is
possible.
Mark
--- "Morgan, Rob" <Rob.Morgan@o...> wrote:
> got a quick cookie ? for u all and I can't remember
> if this was possible.
>
> I have different domain names in my organization.
> If i make a cookie on one
> domain can I read it from another domain? I want
> the user travel around
> our domain names and let different application use
> the same cookie
> information?
>
> Thanks
> Rob
>
>
>
> meckeard2000@y...
> $subst('Email.Unsub')
>
__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com
Message #3 by "Morgan, Rob" <Rob.Morgan@o...> on Fri, 16 Nov 2001 10:31:28 -0500
|
|
thanks!
-----Original Message-----
From: Mark Eckeard [mailto:meckeard2000@y...]
Sent: Friday, November 16, 2001 10:20 AM
To: ASP Web HowTo
Subject: [asp_web_howto] Re: cookies
Rob,
A cookie is specific to the browser/machine. If the
user uses the same browser to view both sites, and the
code is in both to read the cookie, then yes, it is
possible.
Mark
--- "Morgan, Rob" <Rob.Morgan@o...> wrote:
> got a quick cookie ? for u all and I can't remember
> if this was possible.
>
> I have different domain names in my organization.
> If i make a cookie on one
> domain can I read it from another domain? I want
> the user travel around
> our domain names and let different application use
> the same cookie
> information?
>
> Thanks
> Rob
>
>
>
> meckeard2000@y...
> $subst('Email.Unsub')
>
__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com
$subst('Email.Unsub')
Message #4 by "Daniel O'Dorisio" <daniel@o...> on Fri, 16 Nov 2001 10:48:04 -0500
|
|
i would have to argue that point..
by design cookies are only accessable by the domain that creates them..
there is a hole in win 2k that will allow different domains to "Steal" the
cookies..
look on these articles for a few ways to get arround:
http://www.asp101.com/articles/chris/transfercookies/default.asp
http://www.asp-zone.com/articles/jw030101/jw030101-1.asp
http://support.microsoft.com/support/kb/articles/Q264/3/45.ASP
(kb article about hole)
daniel
--
-----------------------------
Daniel O'Dorisio
daniel@o...
www.odorisio-networks.com
-----------------------------
"Mark Eckeard" <meckeard2000@y...> wrote in message
news:120598@a..._web_howto...
>
> Rob,
>
> A cookie is specific to the browser/machine. If the
> user uses the same browser to view both sites, and the
> code is in both to read the cookie, then yes, it is
> possible.
>
> Mark
> --- "Morgan, Rob" <Rob.Morgan@o...> wrote:
> > got a quick cookie ? for u all and I can't remember
> > if this was possible.
> >
> > I have different domain names in my organization.
> > If i make a cookie on one
> > domain can I read it from another domain? I want
> > the user travel around
> > our domain names and let different application use
> > the same cookie
> > information?
> >
> > Thanks
> > Rob
> >
> >
> >
> > meckeard2000@y...
> > $subst('Email.Unsub')
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Find the one for you at Yahoo! Personals
> http://personals.yahoo.com
>
>
Message #5 by Mark Eckeard <meckeard2000@y...> on Fri, 16 Nov 2001 08:07:05 -0800 (PST)
|
|
Daniel,
I thought the browser ultimately controlled the
cookie.
I stand corrected.
Mark
--- Daniel O'Dorisio <daniel@o...>
wrote:
> i would have to argue that point..
>
> by design cookies are only accessable by the domain
> that creates them..
> there is a hole in win 2k that will allow different
> domains to "Steal" the
> cookies..
>
> look on these articles for a few ways to get
> arround:
>
http://www.asp101.com/articles/chris/transfercookies/default.asp
>
http://www.asp-zone.com/articles/jw030101/jw030101-1.asp
>
http://support.microsoft.com/support/kb/articles/Q264/3/45.ASP
> (kb article about hole)
>
> daniel
>
> --
> -----------------------------
> Daniel O'Dorisio
> daniel@o...
> www.odorisio-networks.com
> -----------------------------
>
> "Mark Eckeard" <meckeard2000@y...> wrote in
> message
> news:120598@a..._web_howto...
> >
> > Rob,
> >
> > A cookie is specific to the browser/machine. If
> the
> > user uses the same browser to view both sites, and
> the
> > code is in both to read the cookie, then yes, it
> is
> > possible.
> >
> > Mark
> > --- "Morgan, Rob" <Rob.Morgan@o...>
> wrote:
> > > got a quick cookie ? for u all and I can't
> remember
> > > if this was possible.
> > >
> > > I have different domain names in my
> organization.
> > > If i make a cookie on one
> > > domain can I read it from another domain? I
> want
> > > the user travel around
> > > our domain names and let different application
> use
> > > the same cookie
> > > information?
> > >
> > > Thanks
> > > Rob
> > >
> > >
> > >
> > > ---
> > > You are currently subscribed to asp_web_howto
> as:
> > > meckeard2000@y...
> > > $subst('Email.Unsub')
> > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Find the one for you at Yahoo! Personals
> > http://personals.yahoo.com
> >
> >
>
>
>
> meckeard2000@y...
> $subst('Email.Unsub')
>
__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com
Message #6 by "Morgan, Rob" <Rob.Morgan@o...> on Fri, 16 Nov 2001 11:13:34 -0500
|
|
That hole now has a patch
http://www.computerworld.com/storyba/0,4125,NAV47_STO65747,00.html
-----Original Message-----
From: Mark Eckeard [mailto:meckeard2000@y...]
Sent: Friday, November 16, 2001 11:07 AM
To: ASP Web HowTo
Subject: [asp_web_howto] Re: cookies
Daniel,
I thought the browser ultimately controlled the
cookie.
I stand corrected.
Mark
--- Daniel O'Dorisio <daniel@o...>
wrote:
> i would have to argue that point..
>
> by design cookies are only accessable by the domain
> that creates them..
> there is a hole in win 2k that will allow different
> domains to "Steal" the
> cookies..
>
> look on these articles for a few ways to get
> arround:
>
http://www.asp101.com/articles/chris/transfercookies/default.asp
>
http://www.asp-zone.com/articles/jw030101/jw030101-1.asp
>
http://support.microsoft.com/support/kb/articles/Q264/3/45.ASP
> (kb article about hole)
>
> daniel
>
> --
> -----------------------------
> Daniel O'Dorisio
> daniel@o...
> www.odorisio-networks.com
> -----------------------------
>
> "Mark Eckeard" <meckeard2000@y...> wrote in
> message
> news:120598@a..._web_howto...
> >
> > Rob,
> >
> > A cookie is specific to the browser/machine. If
> the
> > user uses the same browser to view both sites, and
> the
> > code is in both to read the cookie, then yes, it
> is
> > possible.
> >
> > Mark
> > --- "Morgan, Rob" <Rob.Morgan@o...>
> wrote:
> > > got a quick cookie ? for u all and I can't
> remember
> > > if this was possible.
> > >
> > > I have different domain names in my
> organization.
> > > If i make a cookie on one
> > > domain can I read it from another domain? I
> want
> > > the user travel around
> > > our domain names and let different application
> use
> > > the same cookie
> > > information?
> > >
> > > Thanks
> > > Rob
> > >
> > >
> > >
> > > ---
> > > You are currently subscribed to asp_web_howto
> as:
> > > meckeard2000@y...
> > > $subst('Email.Unsub')
> > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Find the one for you at Yahoo! Personals
> > http://personals.yahoo.com
> >
> >
>
>
>
> meckeard2000@y...
> $subst('Email.Unsub')
>
__________________________________________________
Do You Yahoo!?
Find the one for you at Yahoo! Personals
http://personals.yahoo.com
$subst('Email.Unsub')
Message #7 by "Johnson, Israel" <IJohnson@R...> on Fri, 16 Nov 2001 11:15:42 -0500
|
|
Dan............Thanks for the articles...I didn't know this was possible.
-----Original Message-----
From: Daniel O'Dorisio [mailto:daniel@o...]
Sent: Friday, November 16, 2001 10:48 AM
To: ASP Web HowTo
Subject: [asp_web_howto] Re: cookies
i would have to argue that point..
by design cookies are only accessable by the domain that creates them..
there is a hole in win 2k that will allow different domains to "Steal" the
cookies..
look on these articles for a few ways to get arround:
http://www.asp101.com/articles/chris/transfercookies/default.asp
http://www.asp-zone.com/articles/jw030101/jw030101-1.asp
http://support.microsoft.com/support/kb/articles/Q264/3/45.ASP
(kb article about hole)
daniel
--
-----------------------------
Daniel O'Dorisio
daniel@o...
www.odorisio-networks.com
-----------------------------
"Mark Eckeard" <meckeard2000@y...> wrote in message
news:120598@a..._web_howto...
>
> Rob,
>
> A cookie is specific to the browser/machine. If the
> user uses the same browser to view both sites, and the
> code is in both to read the cookie, then yes, it is
> possible.
>
> Mark
> --- "Morgan, Rob" <Rob.Morgan@o...> wrote:
> > got a quick cookie ? for u all and I can't remember
> > if this was possible.
> >
> > I have different domain names in my organization.
> > If i make a cookie on one
> > domain can I read it from another domain? I want
> > the user travel around
> > our domain names and let different application use
> > the same cookie
> > information?
> >
> > Thanks
> > Rob
> >
> >
> >
> > meckeard2000@y...
> > $subst('Email.Unsub')
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Find the one for you at Yahoo! Personals
> http://personals.yahoo.com
>
>
$subst('Email.Unsub')
Message #8 by "Daniel O'Dorisio" <daniel@o...> on Fri, 16 Nov 2001 11:47:49 -0500
|
|
HOT off the press.. thanks!
daniel
--
-----------------------------
Daniel O'Dorisio
daniel@o...
www.odorisio-networks.com
-----------------------------
"Morgan, Rob" <Rob.Morgan@o...> wrote in message
news:120621@a..._web_howto...
>
> That hole now has a patch
>
> http://www.computerworld.com/storyba/0,4125,NAV47_STO65747,00.html
>
> -----Original Message-----
> From: Mark Eckeard [mailto:meckeard2000@y...]
> Sent: Friday, November 16, 2001 11:07 AM
> To: ASP Web HowTo
> Subject: [asp_web_howto] Re: cookies
>
>
> Daniel,
>
> I thought the browser ultimately controlled the
> cookie.
> I stand corrected.
>
> Mark
> --- Daniel O'Dorisio <daniel@o...>
> wrote:
> > i would have to argue that point..
> >
> > by design cookies are only accessable by the domain
> > that creates them..
> > there is a hole in win 2k that will allow different
> > domains to "Steal" the
> > cookies..
> >
> > look on these articles for a few ways to get
> > arround:
> >
> http://www.asp101.com/articles/chris/transfercookies/default.asp
> >
> http://www.asp-zone.com/articles/jw030101/jw030101-1.asp
> >
> http://support.microsoft.com/support/kb/articles/Q264/3/45.ASP
> > (kb article about hole)
> >
> > daniel
> >
> > --
> > -----------------------------
> > Daniel O'Dorisio
> > daniel@o...
> > www.odorisio-networks.com
> > -----------------------------
> >
> > "Mark Eckeard" <meckeard2000@y...> wrote in
> > message
> > news:120598@a..._web_howto...
> > >
> > > Rob,
> > >
> > > A cookie is specific to the browser/machine. If
> > the
> > > user uses the same browser to view both sites, and
> > the
> > > code is in both to read the cookie, then yes, it
> > is
> > > possible.
> > >
> > > Mark
> > > --- "Morgan, Rob" <Rob.Morgan@o...>
> > wrote:
> > > > got a quick cookie ? for u all and I can't
> > remember
> > > > if this was possible.
> > > >
> > > > I have different domain names in my
> > organization.
> > > > If i make a cookie on one
> > > > domain can I read it from another domain? I
> > want
> > > > the user travel around
> > > > our domain names and let different application
> > use
> > > > the same cookie
> > > > information?
> > > >
> > > > Thanks
> > > > Rob
> > > >
> > > >
> > > >
> > > > ---
> > > > You are currently subscribed to asp_web_howto
> > as:
> > > > meckeard2000@y...
> > > > $subst('Email.Unsub')
> > > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Find the one for you at Yahoo! Personals
> > > http://personals.yahoo.com
> > >
> > >
> >
> >
> >
> > meckeard2000@y...
> > $subst('Email.Unsub')
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Find the one for you at Yahoo! Personals
> http://personals.yahoo.com
>
rob.morgan@o...
> $subst('Email.Unsub')
>
>
Message #9 by "Ken Schaefer" <ken@a...> on Mon, 19 Nov 2001 11:31:14 +1100
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Daniel O'Dorisio" <daniel@o...>
Sent: Saturday, November 17, 2001 2:48 AM
Subject: [asp_web_howto] Re: cookies
: i would have to argue that point..
:
: by design cookies are only accessable by the domain
: that creates them..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IIRC - a cookie can only be read by the domain that it is *set to*
So foo.com can set a cookie for bar.com which means that bar.com can read
it, but foo.com can not.
Alternatively, foo.com can set a cookie for foo.com, which can be read by
foo.com, but not bar.com
Cheers
Ken
Message #10 by "Daniel O'Dorisio" <daniel@o...> on Sun, 18 Nov 2001 19:51:48 -0500
|
|
yes you are correct.. my apalogies.. i should have clarified..
thanks!
daniel
--
-----------------------------
Daniel O'Dorisio
daniel@o...
www.odorisio-networks.com
-----------------------------
"Ken Schaefer" <ken@a...> wrote in message
news:120912@a..._web_howto...
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> From: "Daniel O'Dorisio" <daniel@o...>
> Sent: Saturday, November 17, 2001 2:48 AM
> Subject: [asp_web_howto] Re: cookies
>
>
> : i would have to argue that point..
> :
> : by design cookies are only accessable by the domain
> : that creates them..
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> IIRC - a cookie can only be read by the domain that it is *set to*
>
> So foo.com can set a cookie for bar.com which means that bar.com can read
> it, but foo.com can not.
> Alternatively, foo.com can set a cookie for foo.com, which can be read by
> foo.com, but not bar.com
>
> Cheers
> Ken
>
>
>
Message #11 by "Daniel O'Dorisio" <daniel@o...> on Sun, 18 Nov 2001 22:12:03 -0500
|
|
ken..
hmm.. well after i sent that last email.. i said.. hmm.. this is wierd.. so
im going to do more studying on it... and i think i am going to have to say
that this wont work.. you can only set a cookie for the domain on wich the
page resides... (i should have thought of this before sending the last
email)
------------------------
> IIRC - a cookie can only be read by the domain that it is *set to*
>
> So foo.com can set a cookie for bar.com which means that bar.com can read
> it, but foo.com can not.
> Alternatively, foo.com can set a cookie for foo.com, which can be read by
> foo.com, but not bar.com
------------------------
i agree with the fact that you can only read a cookie on the domain of which
matches the domain value of that cookie.. but the other thing is.. you can
only set a cookie if the domain matches the value you are trying to set it
to with exceptions to subdomains. so in effect.. you can only read cookies
that were created on that domain.. from what i have found.. here is my
research.. with a conclusion at the end:
according to cookie central they say that this cant be done
http://www.cookiecentral.com/faq/#4.7 no big deal.. taht is cookie central..
but then i go to the RFC 2109 on http state management(cookies) i get this:
(section 4.3.2)
<quote>
To prevent possible security or privacy violations, a user agent
rejects a cookie (shall not store its information) if any of the
following is true:
* The value for the Path attribute is not a prefix of the request-
URI.
* The value for the Domain attribute contains no embedded dots or
does not start with a dot.
* The value for the request-host does not domain-match the Domain
attribute.
* The request-host is a FQDN (not IP address) and has the form HD,
where D is the value of the Domain attribute, and H is a string
that contains one or more dots.
</quote>
i kept searching since that rfc is dated.. and found this at
http://www.simplythebest.net/info/cookieinfo.html:
<quote>
domain=DOMAIN_NAME
When searching the cookie list for valid cookies, a comparison of the domain
attributes of the cookie is made with the Internet domain name of the host
from which the URL will be fetched. If there is a tail match, then the
cookie will go through path matching to see if it should be sent. "Tail
matching" means that domain attribute is matched against the tail of the
fully qualified domain name of the host. A domain attribute of "me.com"
would match host names "yes.me.com" as well as "yes.no.me.com".
Only hosts within the specified domain can set a cookie for a domain and
domains must have at least two (2) or three (3) periods in them to prevent
domains of the form: ".com", ".edu", and "va.us". Any domain that fails
within one of the seven special top level domains listed below only require
two periods. Any other domain requires at least three. The seven special top
level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL" and "INT". The
default value of domain is the host name of the server which generated the
cookie response.
</quote>
i kept looking and found this in RFC 2965 which is dated october of 2000
(http://www.ietf.org/rfc/rfc2965.txt section 3.3.2)
<quote>
Moreover, a user agent rejects (SHALL NOT
store its information) if any of the following is true of the
attributes explicitly present in the Set-Cookie2 response header:
* The value for the Path attribute is not a prefix of the
request-URI.
* The value for the Domain attribute contains no embedded dots,
and the value is not .local.
* The effective host name that derives from the request-host does
not domain-match the Domain attribute.
* The request-host is a HDN (not IP address) and has the form HD,
where D is the value of the Domain attribute, and H is a string
that contains one or more dots.
* The Port attribute has a "port-list", and the request-port was
not in the list.
</quote>
according to STD1 this is the current reccommendation..
so then this brings me to this conclusion:
cookies can be set to only the domain on wich that page resides. should the
page try to set a cookie for xyz.com and it resides on abc.com the user
agent will disregard that cookie due to the request-host, and daomin
attributes do not match up.
maybe i have missed something.. i would love to know.. if you see some error
in what i have found let me know.. but for now (unless i get another email
tonight) i am going to try to get some other stuff done..
daniel
--
-----------------------------
Daniel O'Dorisio
daniel@o...
www.odorisio-networks.com
-----------------------------
"Ken Schaefer" <ken@a...> wrote in message
news:120912@a..._web_howto...
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> From: "Daniel O'Dorisio" <daniel@o...>
> Sent: Saturday, November 17, 2001 2:48 AM
> Subject: [asp_web_howto] Re: cookies
>
>
> : i would have to argue that point..
> :
> : by design cookies are only accessable by the domain
> : that creates them..
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> IIRC - a cookie can only be read by the domain that it is *set to*
>
> So foo.com can set a cookie for bar.com which means that bar.com can read
> it, but foo.com can not.
> Alternatively, foo.com can set a cookie for foo.com, which can be read by
> foo.com, but not bar.com
>
> Cheers
> Ken
>
>
>
Message #12 by "Ken Schaefer" <ken@a...> on Mon, 19 Nov 2001 14:42:29 +1100
|
|
Since my previous post, I've also been reading:
http://www.ietf.org/rfc/rfc2109.txt
which indicates that the Request-Host (originating server) can only set a
cookie for the domain it is part of - I was reading the wrong part (the bit
where it says that the receving server will only accept a cookie that
matches the domain that the receiving server is part of).
Of course, the above is no means definitive of real world behaviour as
cookies where originally developed by Netscape, and thus there is no
definitive standard that everybody follows...but it appears that I was
incorrect previously. Thanks for the info.
Cheers
Ken
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Daniel O'Dorisio" <daniel@o...>
Subject: [asp_web_howto] Re: cookies
: ken..
: hmm.. well after i sent that last email.. i said.. hmm.. this is wierd..
so
: im going to do more studying on it... and i think i am going to have to
say
: that this wont work.. you can only set a cookie for the domain on wich the
: page resides... (i should have thought of this before sending the last
: email)
: ------------------------
: > IIRC - a cookie can only be read by the domain that it is *set to*
: >
: > So foo.com can set a cookie for bar.com which means that bar.com can
read
: > it, but foo.com can not.
: > Alternatively, foo.com can set a cookie for foo.com, which can be read
by
: > foo.com, but not bar.com
: ------------------------
: i agree with the fact that you can only read a cookie on the domain of
which
: matches the domain value of that cookie.. but the other thing is.. you can
: only set a cookie if the domain matches the value you are trying to set it
: to with exceptions to subdomains. so in effect.. you can only read cookies
: that were created on that domain.. from what i have found.. here is my
: research.. with a conclusion at the end:
:
:
: according to cookie central they say that this cant be done
: http://www.cookiecentral.com/faq/#4.7 no big deal.. taht is cookie
central..
:
: but then i go to the RFC 2109 on http state management(cookies) i get
this:
: (section 4.3.2)
Message #13 by "Daniel O'Dorisio" <daniel@o...> on Sun, 18 Nov 2001 22:38:13 -0500
|
|
thank you for the info.. i would probally not have gone in more depth had
you not sent that email.. thanks!
daniel
--
-----------------------------
Daniel O'Dorisio
daniel@o...
www.odorisio-networks.com
-----------------------------
"Ken Schaefer" <ken@a...> wrote in message
news:120932@a..._web_howto...
>
> Since my previous post, I've also been reading:
> http://www.ietf.org/rfc/rfc2109.txt
> which indicates that the Request-Host (originating server) can only set a
> cookie for the domain it is part of - I was reading the wrong part (the
bit
> where it says that the receving server will only accept a cookie that
> matches the domain that the receiving server is part of).
>
> Of course, the above is no means definitive of real world behaviour as
> cookies where originally developed by Netscape, and thus there is no
> definitive standard that everybody follows...but it appears that I was
> incorrect previously. Thanks for the info.
>
> Cheers
> Ken
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> From: "Daniel O'Dorisio" <daniel@o...>
> Subject: [asp_web_howto] Re: cookies
>
>
> : ken..
> : hmm.. well after i sent that last email.. i said.. hmm.. this is wierd..
> so
> : im going to do more studying on it... and i think i am going to have to
> say
> : that this wont work.. you can only set a cookie for the domain on wich
the
> : page resides... (i should have thought of this before sending the last
> : email)
> : ------------------------
> : > IIRC - a cookie can only be read by the domain that it is *set to*
> : >
> : > So foo.com can set a cookie for bar.com which means that bar.com can
> read
> : > it, but foo.com can not.
> : > Alternatively, foo.com can set a cookie for foo.com, which can be read
> by
> : > foo.com, but not bar.com
> : ------------------------
> : i agree with the fact that you can only read a cookie on the domain of
> which
> : matches the domain value of that cookie.. but the other thing is.. you
can
> : only set a cookie if the domain matches the value you are trying to set
it
> : to with exceptions to subdomains. so in effect.. you can only read
cookies
> : that were created on that domain.. from what i have found.. here is my
> : research.. with a conclusion at the end:
> :
> :
> : according to cookie central they say that this cant be done
> : http://www.cookiecentral.com/faq/#4.7 no big deal.. taht is cookie
> central..
> :
> : but then i go to the RFC 2109 on http state management(cookies) i get
> this:
> : (section 4.3.2)
>
>
>
>
Message #14 by "Morgan, Rob" <Rob.Morgan@o...> on Mon, 19 Nov 2001 07:15:27 -0500
|
|
Thanks for all the info..
I did some research on the topic also and found that a cookie can be read by
all webservers as long as they have the same sub domain name. The domain
attibute can use for a sub domain as long as two periods are used. I was
able to set the domain on the cookie to .ode.state.oh.us and then any web
server in my domain could read the cookie info.
Here are a few nice articles on the subject.
http://www.softartisans.com/softartisans/techfour.html
http://www.asp101.com/articles/chris/transfercookies/default.asp
http://www.zdnet.com/devhead/stories/articles/0,4413,2614768,00.html
Thanks
Rob
-----Original Message-----
From: Daniel O'Dorisio [mailto:daniel@o...]
Sent: Sunday, November 18, 2001 10:38 PM
To: ASP Web HowTo
Subject: [asp_web_howto] Re: cookies
thank you for the info.. i would probally not have gone in more depth had
you not sent that email.. thanks!
daniel
--
-----------------------------
Daniel O'Dorisio
daniel@o...
www.odorisio-networks.com
-----------------------------
"Ken Schaefer" <ken@a...> wrote in message
news:120932@a..._web_howto...
>
> Since my previous post, I've also been reading:
> http://www.ietf.org/rfc/rfc2109.txt
> which indicates that the Request-Host (originating server) can only set a
> cookie for the domain it is part of - I was reading the wrong part (the
bit
> where it says that the receving server will only accept a cookie that
> matches the domain that the receiving server is part of).
>
> Of course, the above is no means definitive of real world behaviour as
> cookies where originally developed by Netscape, and thus there is no
> definitive standard that everybody follows...but it appears that I was
> incorrect previously. Thanks for the info.
>
> Cheers
> Ken
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> From: "Daniel O'Dorisio" <daniel@o...>
> Subject: [asp_web_howto] Re: cookies
>
>
> : ken..
> : hmm.. well after i sent that last email.. i said.. hmm.. this is wierd..
> so
> : im going to do more studying on it... and i think i am going to have to
> say
> : that this wont work.. you can only set a cookie for the domain on wich
the
> : page resides... (i should have thought of this before sending the last
> : email)
> : ------------------------
> : > IIRC - a cookie can only be read by the domain that it is *set to*
> : >
> : > So foo.com can set a cookie for bar.com which means that bar.com can
> read
> : > it, but foo.com can not.
> : > Alternatively, foo.com can set a cookie for foo.com, which can be read
> by
> : > foo.com, but not bar.com
> : ------------------------
> : i agree with the fact that you can only read a cookie on the domain of
> which
> : matches the domain value of that cookie.. but the other thing is.. you
can
> : only set a cookie if the domain matches the value you are trying to set
it
> : to with exceptions to subdomains. so in effect.. you can only read
cookies
> : that were created on that domain.. from what i have found.. here is my
> : research.. with a conclusion at the end:
> :
> :
> : according to cookie central they say that this cant be done
> : http://www.cookiecentral.com/faq/#4.7 no big deal.. taht is cookie
> central..
> :
> : but then i go to the RFC 2109 on http state management(cookies) i get
> this:
> : (section 4.3.2)
>
>
>
>
$subst('Email.Unsub')
|
|
|
View Cart
