I can't say for certain why this bug is exposed by NYTimes; however, I saw a comment on HN about trailing dots on domain names[1] being a browser implementation quirk.
The author of that article suggests that NYTimes may have misconfigured their Apache VirtualHost.
Based on what you are saying though, you lead me to believe that the NYTimes wants this behavior to occur, which I doubt.
If they want to paywall access to their site but adding a dot to the domain causes it to be bypassed, then it is misconfigured in some way, regardless of cookies.
> Based on what you are saying though, you lead me to believe that the NYTimes wants this behavior to occur, which I doubt.
Not at all. We wouldn't expect reddit.com. to share cookies with news.ycombinator.com. The browser enforces that hard separation between the 2 domains with respect to access to cookies and such.
Thats the same split with nytimes.com and nytimes.com. . The browser sees them as 2 distinct domains, and will absolutely not let cookies cross.
> If they want to paywall access to their site but adding a dot to the domain causes it to be bypassed, then it is misconfigured in some way, regardless of cookies.
It's their choice (nytimes) to not do a paywall for a 'new potential customer'. And that data is stored in cookies. You can simulate that by purging all nytimes cookies and you can access as no initial paywall.
Going to their FQDN is a 'different domain' with respect to the browser and its cookie store. So its only logical that you start 'fresh' (aka: no cookie history). And there's nothing that I know of that can allow cookie sharing... Then again I do systems administration.
>It's their choice (nytimes) to not do a paywall for a 'new potential customer'. And that data is stored in cookies. You can simulate that by purging all nytimes cookies and you can access as no initial paywall.
Thank you for clarifying. I hadn't considered that NYTimes may not show paywall for a 'new potential customer' since I am all to familiar with their paywall.
I really feel like it's just a matter of time where they require an account to read the articles and only provide snippets to those who are beyond there free limit.
Techniques include blocking cookies, specific JS scripts, redirecting to a different URL, changing the user-agent to pretend to be Google's indexer, changing the referer to make it appear the user is coming from a Google search, and removing or hiding elements from the page that get in the way of reading the article.
- Take a paywall'ed URL: https://www.nytimes.com/2013/05/05/magazine/y-combinator-sil...
- Add a dot after the domain: https://www.nytimes.com./2013/05/05/magazine/y-combinator-si...
voila, no paywall. Would love to hear an inside story about why this bug appeared.