W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2002

RE: Interop issue: Can we require clients to accept cookies?

From: Clemm, Geoff <gclemm@rational.com>
Date: Mon, 16 Sep 2002 07:16:34 -0400
Message-ID: <3906C56A7BD1F54593344C05BD1374B108258ECA@SUS-MA1IT01>
To: Webdav WG <w3c-dist-auth@w3c.org>

I agree with Stefan (i.e. that nothing about cookies should
appear in 2518bis), for the reasons he states, unless I hear a
compelling argument for why clients should be required to accept
cookies in order for WebDAV to work properly.

Cheers,
Geoff

-----Original Message-----
From: Stefan Eissing [mailto:stefan.eissing@greenbytes.de]
Sent: Monday, September 16, 2002 4:44 AM
To: Lisa Dusseault
Cc: Webdav WG
Subject: Re: Interop issue: Can we require clients to accept cookies?




Am Sonntag den, 15. September 2002, um 20:13, schrieb Lisa Dusseault:
>
> RFC 2518 is silent on cookies.  It requires support for RFC2068 (now
> RFC2616), but does not reference the HTTP Cookie RFC (RFC 2965).
>
> Some WebDAV servers, however, rely on setting cookies to keep a session
> for an unauthenticated user. For Basic authentication, cookies can
> vastly reduce the number of times a nearly-clear-text password is sent
> over the network, so cookies can make the interaction more secure.
> Session cookies are less secure than Digest authentication, however
> servers with low security requirements and high performance 
> requirements
> may prefer to use cookies.
>
> In addition to being used for keeping sessions, cookies may be used to
> keep track of other client preferences (this is theoretical as I do not
> know of any actual examples).
>
> Thus, it was proposed that RFC2518 bis reference RFC2965, and say that
> "clients SHOULD support cookies".

I think we agree that a server should not depend on the client
handling cookies. WebDAV needs to function without them.

Therefore the spec should not mention them. I see the risk that
servers or client implementors might be tempted to rely on it.

It is certainly a good idea to collect implementation advice in
some FAQ or the webdav book of why.

//Stefan
Received on Monday, 16 September 2002 07:17:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:01 GMT