Re: Session tracking

Larry Masinter (masinter@parc.xerox.com)
Thu, 20 Apr 1995 02:11:26 +0500


> o The "domain" attribute, if present, specifies a server domain in the
> form of a TCP/IP domain name. Note that the domain acts as a tail end
> mask. All hosts within the specified domain will recieve the cookie
> on subsequent requests. Only hosts within the specified domain can
> set a cookie for a domain and domains must have at least two (2)
> periods in them to prevent domains of the form: ".com" and ".edu".
> ".mcom.com" is an example of a valid domain.

This doesn't work outside of the US. For example, companies in the UK
tend to have domain names that end in .co.uk. I don't know if you can
tell merely by syntax what the actual domain of authority is for a DNS
name.

Is this a necessary feature? If it isn't reliable and can be abused,
it would be best to avoid it.