DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=38360>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38360 ------- Additional Comments From [EMAIL PROTECTED] 2006-12-26 07:09 ------- Well, it's a feature. It's only a possible issue across sub-domains -- as specified in rfc 2109, the request-host and the Domain attribute must host match or the user-agent will reject the cookie. So, it's not a problem for a.example.com trying to read/write cookies for b.foo.com. However, if a.example.com and b.example.com were maintained by two different organizations, then maybe they wouldn't want to use this. Of course, the same thing for x.y.example.com and y.example.com. This is already possible for non-session cookies using javax.servlet.http.Cookie.setDomain(), and allowed/specified by rfc 2109. Resin, already support this behavior: http://www.caucho.com/resin-3.1/doc/session-tags.xtp#cookie-domain As implemented, this patch allows this config to be set in the <Context /> -- maybe there's a better place for it that would alleviate your security concerns? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
