Shibboleth Developers

[Peter Williams <>]

Lets not forget RSA's original work on websso - in which the inter-domain 
cookie got sent around between websites. Its still in their product 
portfolio, if anyone wants to play with the IIS plugins etc.


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Cantor, Scott E.
Sent: Friday, December 17, 2010 10:32 AM
To: 

Subject: RE: [Shib-Dev] New IETF draft for IdP Discovery ("PingPong")

> I'm not sure what definition is being used for 3rd party cookies, but 
> cookies need to be read through an iframe.  They are never written 
> through an iframe.  I'm curious though, what issues are seen with this?

It's a cookie associated with a domain other than the one from which the 
original page came. I'm pretty sure that's the only definition.

AFAIK, reading cookies through an IFRAME is not allowed across domains when 
third party cookies are disabled.

People often fool themselves into thinking this works, because many browsers 
treat domains with a common tail as a special case, and allow reading them 
even when they're disabled. Using completely separate domains (which I think 
you'll agree is the entire basis of your proposal) results in different 
behavior.

-- Scott