You mean to suggest that we should store the session details in
form data?
I mean to suggest that trying to do good authentication with cookies
or URL frobs is a difficult, ugly problem. Though I have seen one
approach that essentially encoded Kerberos tickets in cookies that
seemed to me to have potential, but that still wouldn't solve the
problem for sites/proxies that thwart cookies. I think putting such
frobs in URLs would make the URLs too long.
Well... how do I, then, validate whether a valid session
(authenticated session) exists or not if I have to access resources
other than forms - like movie file, pdf, doc etc!
As you say, cookies are sometimes disabled (and for good reasons), how
do I track the session for non-form resources/files?
And it also means that I cannot simply move from one page to another -
if I'm putting validation data as form data, each link must be a
form-submit link with some option.
How far can this be justified?
Just because http exists does not mean it is a good tool for
everything you might want to do over a network.
Keith
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf