[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: cookie are not sent back on simple domain.tld with country code tld
From: ze <ze () all-3rd ! net>
Date: 2003-08-09 20:57:53
[Download RAW message or body]
Hi,
Using konqueror to visit a site (my bank), i log on, and accept cookie.
I check the cookie with the cookie/management, it is there... a cookie,
with a domain in .somedomain.fr, but when i click somewhere, my bank ask
me to auth again, because konqueror doesn't send the cookie back.
I analized the "unwanted" behavior by "spoofing" the server...
(/etc/hosts, a self-made client...)
Tested browsers and behavior:
* Konqueror accept the cookie, but silently just doesn't send it.
* w3m directly reject the cookie, with a "This cookie was rejected to
prevent security violation. [wrong number of dots]"
* mozilla and IE doesn't complain, and just let me check my bank account
(so, they just accept the cookies, and send them back)
(http://wp.netscape.com/newsref/std/cookie_spec.html)
"Netscape" specifications claim that cookies domain must have at least 3
dots for country code tld(1-2), instead of the 2 for special tld(3).
I didn't find any other document (like a RFC) about it... the only thing
I found was a general RFC, allowing 2 dots domain everywhere, nothing
special. As mozilla doesn't care about netscape recomandation, i don't
think they should be kept 100% on.
If anyone could tell me where to find more information about that
strange behavior, and who is "right", i would appreciate to read more
about it.
I suggest to change konqueror to allow to use (accept and send back)
such cookies, and add a specific message warning people about the
"dangerous" behavior when they decide to accept cookies for such
domain... some 2 dots domains are real domain, some 2 dots domains are
just sub-class tld, and should not be able to keep cookie (like .co.nz)
(cf a document i just found about the "Bug Affecting Non-Generic
Domains" http://homepages.paradise.net.nz/~glineham/cookiemonster.html)
(1) tld: Top Level Domain
(2) country code tld: tld with 2 letters, for country
(3) special tld: the 7 three letters tld (kinda international)
(com, edu, net, org, gov, mil, int)
--
ze
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic