See [faqs.org...] (This RFC is about Cookie2 which is not implemented, but illustrates the mechanism nevertheless), [wp.netscape.com ].

Andreas

The long answer is no because even letting you know that I have cookie X on my machine is insecure behaviour.

Let's say that the cookie name has significance, if you knew its name you might be able to work out where I have been e.g. does this user have a cookie called "subscription-sealclubbersmonthly" or a similarly unique name.

Secondly the cookie name is no good without knowing which domain set it (unless of course you give it a unique name) e.g. "sitecookie" might be a really common cookie name so unless you could see the domain which controls it you are not going to know if it is from your sites or "dericks dirt emporium".

Equally there would be nothing to stop you attempting to brute force the name of a "special" cookie from my system - perhaps a certain shopping cart stores my userid as part of the cookie...

Really the problem is partly that we can't trust other people not to abuse this type of access, but it's also that we can't trust programmers to use cookies in ways where they are no open to abuse.

If I were you I would look at the domain attribute when you set your cookies as a domain of "mydomain.com" can be seen by any site which operates from that domain - including sub-domains.

- Tony