Client certificate musings

[Sean Conner]

It was thus said that the Great solderpunk once stated:
> I'm, unsurprisingly, extremely out of touch with modern web development:
> are cookies still strictly tied to domains or have they evolved some
> kind of path-specificity?

  It's not path-specificity, but domain-specificity, but a cookie *can* be
shared between sub-domains of a domain.

	domain	cookies
	===============
	conman.org
		alpha

	www.conman.org
		alpba
		beta

	sub.www.conman.org
		alpha
		beta
		gamma

  The 'alpha' cookie will be sent to the domain and each subdomain, the
'beta' cookie will only be sent to the www subdomain, and 'gamma' will be
only sent to sub.www sub-subdomain.  A cookie can only be set on a domain,
not a TLD, but this requires some explaining.  If my site were under the UK,
then:

	conman.co.uk
		alpha

	www.conman.co.uk
		alpha
		beta

	sub.www.conman.co.uk
		alpha
		beta
		gamma

  A cookie for 'co,uk' MUST be rejected by browsers, as 'co.uk' is
considered a TLD (much like .org and .com).  Yes, this means that every
browser has to be aware of the domain rules for every country (and they can
change over time).  For the US, a domain is either a place name under a
state (two letter code) or (and this changed several years back) any domain
(other than the state ones) under the .us domain:

	nyc.ny.us	-- VALID for cookies
	acme.us		-- VALID for cookies
	ny.us		-- INVALID for cookies

  If you think this is insane, it is.  

  -spc (Kind of wish I was making this up)