Re: Cookie Question from wyllys@reston.ans.net on 1997-02-14 (ietf-http-wg@w3.org from January to March 1997)

From: <wyllys@reston.ans.net>
Date: Fri, 14 Feb 1997 16:13:34 -0500 (EST)
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Cc: jg@zorch.w3.org, luotonen@netscape.com
Message-Id: <199702142110.AA08816@interlock.reston.ans.net>

> 
> > Could one or both of you explain what it would be used for?
> > It would help the rest of us support such a proposal.
> > Just asserting it would be useful doesn't help us (as a working
> > group) understand (or understand what problems it would present
> > that have to be thought about).
> 
> I'll list some off the top of my head:
> 
>  o one-time password/securID type authentication where a cookie is
>    issued and considered as valid credentials for a certain period of
>    time and then expired

This is the exact application that we were considering here.  As
a firewall vendor, we have considered several methods for incorporating
a stronger authentication method than the standard Unix password.
If there was a proxy-cookie with parameters such as expiration time we 
could incorporate some of the one-time password schemes alot easier.

--
 Wyllys Ingersoll                    
 ANS Communications
 Reston VA


>  o other access control data, e.g. ACL's

>  o being able to track usage patterns without forcing user
>    authentication
> 
>  o being able to customize the view through the proxy
> 
>  o maintaining client state on proxy side that useful and necessary,
>    e.g.
> 
> 	o to guarantee that a Java originated connection gets to the
> 	  same IP address as the Java applet was loaded from (to
> 	  avoid the DNS spoofing attack)
> 
> 	o to guarantee the same proxy route to the origin server, to
> 	  avoid problems where sites would associate a client cookie
> 	  with the incoming IP address, and with multiple different
> 	  proxy routes end up in a situation where client's cookie is
> 	  considered invalid by the origin server because it came
> 	  through a different proxy route (different source IP
> 	  address)
> 
> The two last subitems I don't mind if HTTP WG proposes some other
> mechanism to deal with them; however, if we go with Proxy-cookies
> (which I fully support), this would be a possible solution.
> 
> Cheers,
> --
> Ari Luotonen	* * * Opinions my own, not Netscape's * * *
> Netscape Communications Corp.		ari@netscape.com
> 501 East Middlefield Road		http://home.netscape.com/people/ari/
> Mountain View, CA 94043, USA		Netscape Proxy Server Development
>

Received on Friday, 14 February 1997 13:22:56 UTC