* Gaurav Vaish:
Can we have a header called Auth-ID which may perform the task of a
session-ID. Instead of putting in form-data or part-of-URL (which
leads to a must-form-on-every-request) or as cookies (sometimes
disabled, for good reasons as mentioned in thread), we can have it as
a separate header.
Your proposal does not address one of the problems raised in Section
2.2.2 of RFC 2964:
Similarly, HTTP State Management SHOULD NOT be used to authenticate
user requests if unauthorized requests might have undesirable side-
effects for the user, unless the user is aware of the potential for
such side-effects and explicitly consents to such use. For example,
a service which allowed a user to order merchandise with a single
"click", based entirely on the user's stored "cookies", could
inconvenience the user by requiring her to dispute charges to her
credit card, and/or return the unwanted merchandise, in the event
that the cookies were exposed to third parties.
Nowadays, this is called "Cross-Site Request Forgery", or "Session
Riding". Standardizing some cookie-lookalike which doesn't address
this problem seems rather pointless to me.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf