Hope this is not off topic.. If it is, please refer me to a proper link.<BR> <BR>My name is Peter. I have some questions regarding cookies and domains.<BR><BR><BR>Can the domain of the cookie be faked. The rule in your letter said it had<BR>to be in the same domain as the sending computer. What prevents someone<BR>from totally spoofing the cookie. (For good purposes of course.)<BR><BR>Example scenerio.<BR><BR>OS390 computer... domain = web.oft.org<BR>IIS computer....domain = hesc.org<BR>Source OS 390 computer creates two cookies.<BR><BR>Cookie 1 is a session cookie with DOMAIN_NAME= hescweb.hesc.org<BR>Cookie 2 is a general cookie with DOMAIN_NAME= hesc.org<BR><BR>It violates your rules, but so what?<BR><BR>Can more than one cookie be created and sent to the browser?<BR><BR><BR>Any Help would be greatly appreciated.