Hacker News new | past | comments | ask | show | jobs | submit login

One common use is to pass session data between subsections of a site. For example, the user logs into www.example.com, and is still logged in when they head over to store.example.com.



That could be also implemented in my proposed fix by example.com setting the auth cookies. They will continue to be readable by store.example.com.

Sure, it will require a change on the server side, which is a pain. But I can't think of a practical scenario which will be impossible to implement with the proposed fix.


Your idea would likely break any site on the internet that uses authentication and subdomins, isn't it clear why this isn't being considered?


Or sites could opt-in to this with a header?

EDIT: homakov says the same thing down thread.


Yes, it is backwards incompatible. Perhaps it could be enforced in HTTP 2?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: