Servers are intended to be the main controller of cookies. Servers can read cookies,
write cookies, and set security controls on the cookies. The cookie security controls
include the following:
??? domain This attribute is intended to act similarly to the same origin policy but
is a little more restrictive. Like the same origin policy, the domain defaults to the
domain in the HTTP request Host header, but the domain can be set to be one
domain level higher. For example, if the HTTP request was to x.y.z.com, then
x.y.z.com could set cookies for all of *.y.z.com, and x.y.z.com cannot set cookies
for all of *.z.com. Apparently, no domain may set cookies for top level domains
(TLDs) such as *.com.
??? path This attribute was intended to re?¬? ne the domain security model to
include the URL path. The path attribute is optional. If set, the cookie is sent
only to the server whose path is identical to the path attribute. For example, say
http://x.y.z.com/a/WebApp set a cookie with path /a; then the cookie would
be sent to all requests to http://x.y.z.com/a/* only. The cookie would not be
sent to http://x.y.z.com/index.html or http://x.y.z.com/a/b/index.html.
??? secure If a cookie has this attribute set, the cookie is sent only on HTTPS
requests.
Pages:
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94