W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Introducing a Session header...

From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Tue, 17 Jul 2012 20:23:47 -0400
Message-ID: <CAMm+LwgC2NC1w=W-xZH+LHJn4ZDuMDwc3_kOspbCn6p0oF019Q@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Martin Thomson <martin.thomson@gmail.com>, James M Snell <jasnell@gmail.com>, ietf-http-wg@w3.org
I would like to have a strong session cookie. That is a session cookie
that is bound to some shared secret and a protocol that allows the
client to provide a proof of knowledge of the secret with each
request.

The reason for this is that once the client has performed an initial
authentication to the service (via password, OAUTH, OpenID, sheeps
entrails, whatever) it can re-authenticate at very low cost on every
successive request.

This would be in addition to any authentication mechanism provided by
TLS since TLS authentication is typically client authentication of the
server and that is not server authentication of the client.


This does not solve the HTTP authentication problem but it does break
off a significant chunk for separate work.
Received on Wednesday, 18 July 2012 00:55:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 00:55:26 GMT