ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Authentication/Session tracking question [was: HTTP/1.1Protocol: Help Needed

2005-05-13 08:43:09
from [Tommy M. McGuire] [Permanent Link] 
On Fri, May 13, 2005 at 09:26:59AM +0530, Gaurav Vaish wrote:

The deployment strategy has to come first, how can this address a
pain

  In both the cases, I think, it's trivial to have a small patch. MS
already gives automatic updates for IE. Task for Mozilla is trivial.
Safari -- Apple as also has automatic updates feature.


In the first place, it's not a small patch.  (Well, OK, renaming the
cookie headers is a small patch.  But somebody eventually would see
through that; to get more than 6-12 months out of this idea would
require more work than that.)

In the second place, not all HTTP clients come from the set {IE,
Mozilla, Safari}.  In fact, if you look simply at the number of clients
(as opposed to weighting the number by the popularity), those are
probably a very small minority.  And there are still archaic versions of
those three floating around.


  From developer's perspective -- most servers, specially J2EE and
.Net based - used a central authentication / tracking system. So do
most of the popular systems in PHP and Perl/CGI.


(I reiterate my second point above.)


  Websites no longer have to rely on cookie. Several times, as one of
my friends in Yahoo says, users report that they are unable to login
only to find that cookies have been disabled by the proxy server
(transparent or otherwise) in their organizations.


Frequently, I suspect Yahoo is swimming upstream.  There are good
reasons why cookies are blocked; relying on them is probably not the
best idea.


  btw, can you provide details of your proposal that you gave 1995?
And what was Dave's proposal in 1992?


Uh, me, too.


  Remember, again, that the ID expires immediately. And there's a
provision to unset.  The former addresses Section 2.2.2 of RFC 2964
(pointed out by Florian).


Does it?  The Auth-ID is still transmitted in the clear, exposing it to
everything between the server and the client.  And expiration wouldn't
automatically fix the problem of the client leaking the token.

-- 
Tommy McGuire

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed, Tommy M. McGuire
Next by Date:  Re: Complaining about ADs to Nomcom (Re: Voting (again)), Sam Hartman
Previous by Thread:  Re: Authentication/Session tracking question [was: HTTP/1.1Protocol: Help Needed, Gaurav Vaish
Next by Thread:  Re: Authentication/Session tracking question [was: HTTP/1.1Protocol: Help Needed, Gaurav Vaish
Indexes:  [Date] [Thread] [Top] [All Lists]