From kde-devel  Sat Aug 09 20:57:53 2003
From: ze <ze () all-3rd ! net>
Date: Sat, 09 Aug 2003 20:57:53 +0000
To: kde-devel
Subject: cookie are not sent back on simple domain.tld with country code tld
X-MARC-Message: https://marc.info/?l=kde-devel&m=106046279008245


Hi,


Using konqueror to visit a site (my bank), i log on, and accept cookie.
I check the cookie with the cookie/management, it is there... a cookie,
with a domain in .somedomain.fr, but when i click somewhere, my bank ask
me to auth again, because konqueror doesn't send the cookie back.

I analized the "unwanted" behavior by "spoofing" the server...
(/etc/hosts, a self-made client...)



Tested browsers and behavior:
* Konqueror accept the cookie, but silently just doesn't send it.
* w3m directly reject the cookie, with a "This cookie was rejected to
  prevent security violation. [wrong number of dots]"
* mozilla and IE doesn't complain, and just let me check my bank account
  (so, they just accept the cookies, and send them back)



(http://wp.netscape.com/newsref/std/cookie_spec.html)
"Netscape" specifications claim that cookies domain must have at least 3
dots for country code tld(1-2), instead of the 2 for special tld(3).

I didn't find any other document (like a RFC) about it... the only thing
I found was a general RFC, allowing 2 dots domain everywhere, nothing
special. As mozilla doesn't care about netscape recomandation, i don't
think they should be kept 100% on.



If anyone could tell me where to find more information about that
strange behavior, and who is "right", i would appreciate to read more
about it.



I suggest to change konqueror to allow to use (accept and send back)
such cookies, and add a specific message warning people about the
"dangerous" behavior when they decide to accept cookies for such
domain... some 2 dots domains are real domain, some 2 dots domains are
just sub-class tld, and should not be able to keep cookie (like .co.nz)

(cf a document i just found about the "Bug Affecting Non-Generic 
Domains" http://homepages.paradise.net.nz/~glineham/cookiemonster.html)



(1) tld: Top Level Domain
(2) country code tld: tld with 2 letters, for country
(3) special tld: the 7 three letters tld (kinda international)
	(com, edu, net, org, gov, mil, int)


-- 
ze
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<