There's a very obvious way to get their cookie put in your cookies file without you explicitly going to their site.

This is my favorite example... You work at a company. Evil co-worker there says...check out this webpage I just setup. You goto that page, the server gives you a cookie with confidential information. ( 4k can store a lot of data..:) )... Boss comes around and looks at your cookie file, notices confidential information. You get fired, sued, whatever....

The server can send whatever it wants to you in the Set-Cookie: header. Read the spec.

Yes, but you know the server that sent it. A Set-Cookie header can't set the domain to be other than the domain that the cookie came from. The message that was copied to the list implied that one domain could set a cookie for another domain. That isn't true unless you have access the the persons cookie file. ( as you implied in your response, but which is beyond the scope of the original letter ). Regards, -jon Jon (no h) S. Stevens yanni@clearink.com ClearInk WebMagus http://www.clearink.com/ finger pgp@sparc.clearink.com for pgp pub key We are hiring! Check out... http://www.clearink.com/clearink/home/job.html