Re: cookies and privacy

• To: seth@hygnet.com
• Subject: Re: cookies and privacy
• From: dmk@allegra.att.com (Dave Kristol)
• Date: Wed, 17 Jul 96 16:23:04 EDT
• Cc: www-security@ns2.rutgers.edu

"Seth I. Rich" <seth@hygnet.com> wrote:
  > > [dmk wrote:]
  > > There's generally a reluctance to add new HTTP headers.  Furthermore,
  > > the original Netscape implementation used the expires-in-the-past
  > > mechanism.  So for compatibility we did the same.
  > 
  > I'm not convinced by this argument, though.  Yes, expires-in-the-past
  > should work, for backwards compatibility.  But if the "cookie" thing is
  > going to be enshrined as a standard, shouldn't there be a -real- way to
  > delete a cookie, one which doesn't depend on the time settings on the
  > clients' machines?

Well, actually we (authors) partly agree.  The I-D actually calls for a
Max-Age attribute for new cookies which is a delta and thus not
affected by client machines' clocks.

Dave Kristol

• Previous: Re: - cookies and privacy
• Next: Re:- cookies and privacy
• Index(es):
  • Index
  • Thread