From: Eric Murray <ericm@lne.com>
Date: Mon, 1 Jul 1996 15:46:02 +0800
To: jon@aggroup.com (Yanni)
Subject: Re: [Fwd: Doubleclick]
In-Reply-To: <9606301243.AA03585@jon.clearink.com>
Message-ID: <199606302113.OAA27031@slack.lne.com>
MIME-Version: 1.0
Content-Type: text/plain


Yanni writes:
> 
> > [short-attention-span summary:  someone's using Netscape cookies as a 
> > way to target-market browser users.  Since I hate being targeted, I 
> > came up with a hack "fix" to prevent it, see below] 
> 
> Whatever.

Whatever?

> > > >Date:    Wed, 26 Jun 1996 19:42:00 -0700 
> > > >From:    Scott Wyant <scott_wyant@loop.com> Subject: COMMENT: 
> > > >Cookie dough 
> > > > 
> > > >If you're like me, you never went to a site called "doubleclick."  
> > > >So how did they give you a cookie?  After all, the idea of the 
> > > >cookie, according to the specs published by Netscape, is to make a 
> > > >more efficient connection between the server the delivers the 
> > > >cookie and the client machine which receives it. 
> > > >But we have never connected to "doubleclick." 
> 
> Scott must have. Navigator is very picky about where a cookie comes 
> from and what is put in the domain field of the cookie.


I had a cookie in my cookies file from them also, and had
not been to their site before.

There's a very obvious way to get their cookie put in
your cookies file without you explicitly going to their site.  I'm
sure a smart boy like you could figure it out.


[...]


> > My own experiments shows that simply removing the cookie file (~/.
> > netscape/cookies) works to "fix" this, as long as you don't have 
> > old netscape config files lying about (then it pops a dialog asking if 
> > you want to nuke the old config, and uses the old cookies file).  
> > Netscape (version 3.0b for Linux) doesn't recreate the cookies file.  
> > Of course this "fix" means that I'm not able to take advantage of 
> > whatever cookies might offer me, but since I can't control them and 
> > never see them there's probably not a lot that they do that I'll miss. 
> 
> Who cares if you can't control them? They don't contain any 
> information that you don't already know about!


The server can send whatever it wants to you
in the Set-Cookie: header.  Read the spec.

The user can set Netscape to pop up an alert when a cookie is
sent, and it says what the cookie is.  However there's no
standard encoding format so you get stuff like "IAF=zb87"
or "X=VGhlIGxhdW5jaCBjb2RlIGlzICdiYW5kZXJzbmF0Y2gnCgAA"
which as far as most users are concerned is gibberish, although
it could be base64 encoded "The launch code is 'bandersnatch'".
Most people will accept whatever they're given, assuming that they
can even find the preference for accepting cookies.




-- 
Eric Murray  ericm@lne.com  ericm@motorcycle.com  http://www.lne.com/ericm
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27 29 AF