W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

cookies and security

From: Keld J|rn Simonsen <keld@dkuug.dk>
Date: Tue, 23 Sep 1997 23:20:40 +0200
Message-Id: <199709232120.XAA28467@dkuug.dk>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I have a novice question on the use of cookies as a security facility.
I have not followed the discussion thoroughly, so maybe this
information is already available somewhere. Then please excuse me
and point me to the proper docs.

I am maintain a number of web pages with some restricted information
but the security need not be very tight. We expect that some users
give their information to collegues, and in most cases the userids
and passwords are the same for whole groups. 

People tend to forget their passwords, and also being nagged
for the access information is irritating.

So I wondered if I could use cookies as authorization. That is,
the first time restricted information is accessed, the user needs
to give the proper userid/password, but later on, if the proper
cookie is given, this is satisfactory, and the access is granted.
From time to time, say with an interval of some months, the
users need to give the userid/passwd again - which then may have
been changed to prevent old users, not allowed anymore, to access the
information.

It this a recommended practice in some cases, and can this be done
with current technology, and how?

Keld Simonsen
Received on Tuesday, 23 September 1997 14:27:34 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:01 EDT