[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] sequence of cookies in a request

From: Achim Hoffmann <kirke11@xxxxxxxxxxxx>
Subject: [WEB SECURITY] sequence of cookies in a request
Date: Wed, 30 Nov 2005 18:27:45 +0100 (MET)

Does somebody know a paper/link where I can find a definition how browsers
(should) send cookies?

In particular I'm interested in the sequence of cookies (name=value pairs)
the browser places in the Cookie: header.
Up to now my observations are that the sequence differs according browsers
and according some attributes of the cookies.

For example Mozilla/FF seems to send the cookies in this order:
  1. domain cookie with path
  2. host cookie with path
  3. domain cookie without path
  4. host cookie without path
while IE seems to send the cookies in order of their age (when set), oldest
first.

Above examples are just a small set of tests, I guess that following attributes
are used somehow, somewhere also:
  secure flag
  https-only flag
  expire
  expire send by server or set by browser
  Cookie1 vs. Cookie2

All these variations make tests complicated, that's why I'm asking if there
exists a rule or alike.

Any help or hint appreciated.
{-: Achim


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Prev by Date: [WEB SECURITY] Anti frame-busting code in Internet Explorer
Next by Date: Re: [WEB SECURITY] new class of exploitable (remote code) perl format string
Previous by thread: [WEB SECURITY] Anti frame-busting code in Internet Explorer
Next by thread: [WEB SECURITY] "RSS Is Worm Bot's Next Target"
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site