[Zope] [sort-of offtopic] cookies, http, and https.

Jussi Haro jussi.haro@greyinteractive.fi
Thu, 15 Jul 1999 18:07:51 +0300


At 15:39 +0300 15.7.1999, Anthony Baxter wrote:
>As far as I can tell, both Navigator and IE are refusing to send the cookie
>set from the http site to the https site. Presumably this is some poor idea
>of security.

Well, the 'net security solutions related to https generally seem to
involve totally disabling any and all data exchange possible. :( Some
versions of browsers go totally haywire if you have an HTML page served
from an https site that links to an image on an http site...

The behaviour of browsers in relation to https varies wildly with the
version of the browser and seems to generally become stricter as time
passes. Most probably this is due to the fact people are very good at
finding exploits..

>Has anyone else seen this, and, more importantly, has anyone else found
>a workaround?

The only workaround we've figured out is to link from site to site with GET
URL's that point to scripts and then set the cookie separately. That's sure
to work with all browsers - I wouldn't trust setting a cookie "secure" as
suggested here earlier with the amount of different cookie implementations
out there but then you're free to try. :)

Jussi

---
Jussi Haro
Chief Technical Designer
Grey Interactive Helsinki - http://www.greyinteractive.fi/
Tel. +358 9 6957 467 Fax. +358 9 6957 660