W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2002

Interop issue: Can we require clients to accept cookies?

From: Lisa Dusseault <lisa@xythos.com>
Date: Sun, 15 Sep 2002 11:13:50 -0700
To: "Webdav WG" <w3c-dist-auth@w3c.org>
Message-ID: <000101c25ce3$a5387f30$29c4fea9@xythoslap>


RFC 2518 is silent on cookies.  It requires support for RFC2068 (now
RFC2616), but does not reference the HTTP Cookie RFC (RFC 2965).

Some WebDAV servers, however, rely on setting cookies to keep a session
for an unauthenticated user. For Basic authentication, cookies can
vastly reduce the number of times a nearly-clear-text password is sent
over the network, so cookies can make the interaction more secure.
Session cookies are less secure than Digest authentication, however
servers with low security requirements and high performance requirements
may prefer to use cookies.

In addition to being used for keeping sessions, cookies may be used to
keep track of other client preferences (this is theoretical as I do not
know of any actual examples).

Thus, it was proposed that RFC2518 bis reference RFC2965, and say that
"clients SHOULD support cookies". 

Discuss?
Lisa
Received on Sunday, 15 September 2002 14:14:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:01 GMT