W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2002

Re: Interop issue: Can we require clients to accept cookies?

From: Dan Brotsky <dbrotsky@adobe.com>
Date: Tue, 17 Sep 2002 01:13:04 -0700
To: Webdav WG <w3c-dist-auth@w3.org>
Message-Id: <4A544AFD-CA15-11D6-84D7-0003931036B4@adobe.com>

>
> Lisa Dusseault wrote:
>
>> RFC 2518 is silent on cookies.... it was proposed that RFC2518 bis 
>> ... say that
>> "clients SHOULD support cookies".

I also strongly oppose any mention of cookies, and would vehemently 
oppose any proposal that clients SHOULD support cookies with WebDAV.  
In addition to all the very good arguments mentioned so far, I would 
add that the cookie spec *requires* providing explicit user control of 
the use of cookies.  This means that clients which support cookies have 
to support a whole bunch of UI that has arguably nothing to do with 
distributed authoring, either complicating their user model or forcing 
them to tie together the use of their client with the use of a browser 
(where cookie control UI typically lives).

By the way, Adobe has yet to test against a WebDAV server that does 
cookie-based authentication that did not (in our view) start out with 
some serious security holes.  Even our own implementations, for use 
with servers that provided Web-based UIs, took months to get to a 
reasonably-secure place.

If I were to advocate that the spec say anything about cookies, it 
would be that servers SHOULD NOT use cookies as an authentication 
mechanism.

     dan
Received on Tuesday, 17 September 2002 04:13:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:01 GMT