W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: Cookie Question

From: Ari Luotonen <luotonen@netscape.com>
Date: Fri, 14 Feb 1997 12:57:39 -0800 (PST)
Message-Id: <199702142057.MAA26109@step.mcom.com>
To: jg@zorch.w3.org
Cc: luotonen@netscape.com, wyllys@reston.ans.net, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

> Could one or both of you explain what it would be used for?
> It would help the rest of us support such a proposal.
> Just asserting it would be useful doesn't help us (as a working
> group) understand (or understand what problems it would present
> that have to be thought about).

I'll list some off the top of my head:

 o one-time password/securID type authentication where a cookie is
   issued and considered as valid credentials for a certain period of
   time and then expired

 o other access control data, e.g. ACL's

 o being able to track usage patterns without forcing user
   authentication

 o being able to customize the view through the proxy

 o maintaining client state on proxy side that useful and necessary,
   e.g.

	o to guarantee that a Java originated connection gets to the
	  same IP address as the Java applet was loaded from (to
	  avoid the DNS spoofing attack)

	o to guarantee the same proxy route to the origin server, to
	  avoid problems where sites would associate a client cookie
	  with the incoming IP address, and with multiple different
	  proxy routes end up in a situation where client's cookie is
	  considered invalid by the origin server because it came
	  through a different proxy route (different source IP
	  address)

The two last subitems I don't mind if HTTP WG proposes some other
mechanism to deal with them; however, if we go with Proxy-cookies
(which I fully support), this would be a possible solution.

Cheers,
--
Ari Luotonen	* * * Opinions my own, not Netscape's * * *
Netscape Communications Corp.		ari@netscape.com
501 East Middlefield Road		http://home.netscape.com/people/ari/
Mountain View, CA 94043, USA		Netscape Proxy Server Development
Received on Friday, 14 February 1997 13:09:30 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:26 EDT