Re: I-D ACTION:draft-ietf-http-state-mgmt-03.txt, .ps from Robert A. Lentz on 1996-07-24 (ietf-http-wg@w3.org from July to September 1996)

From: Robert A. Lentz <lentz@annie.astro.nwu.edu>
Date: Tue, 23 Jul 1996 19:44:44 -0500 (CDT)
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <9607240044.AA00232@annie.astro.nwu.edu>

Greetings,

The current cookie proposal appears insufficient to assure a secure
environment for providing state management in an authenticated system
where multiple users have access to the same single-user machine.

To be specific, and provide an example, I will use the environment,
and application, I am trying to use:

There will be a cookie as an identifier for an authenticated session during
which the student will conduct online course work, possibly from a public
computer lab. What I want to guard against is the possibility of subsequent
users of the same machine from being able to "work" as the previous student.

Relying upon the default Max-Age behavior of not saving the cookie is
not an option. I use Max-Age to limit the validity of a session to guard
against a student just walking away from their computer, leaving it
unattended (much like auto-locking screen savers or idle timeouts on
various shells, or kerberos tickets).

Yet I would also like for the cookie to disappear after one person's
"use" of the client, whether this be signified by an actual quitting of
the client program, closing the browsing window, switching user environment,
etc.

What I would propose is another standard attribute "Single-user".
This attribute would indicate not only that the cookie is not to be kept
across client invocations, but also that the cookie should be discarded
after any indication that the user has closed the session, such as closing
the window, switching user environments, etc. (And perhaps the cookie should
not be shared by multiple windows of the user agent unless the other windows
are opened from the originating session?)

thank you,
-Robert
-- 
r-lentz@nwu.edu                       http://www.astro.nwu.edu/lentz/plan.html
      "The intellectual level of the schools can be no higher than the
       intellectual level of the culture in which they float."
                                                     -Richard Gibboney

Received on Tuesday, 23 July 1996 17:50:29 UTC