- From: Paul Leach <paulle@microsoft.com>
- Date: Mon, 24 Nov 1997 10:44:33 -0800
- To: "'David W. Morris'" <dwm@xpasc.com>
- Cc: 'http-wg' <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, 'Jim Gettys' <jg@w3.org>, 'http-wg' <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Two comments: Certain popular web servers have a builtin "session" mechanism, so that what the server needs to do has already been implemented. The guys who want this want to trust the browser as little as possible. A browser that doesn't understand the timeout directive would ignore it. A browser that doesn't understand "4xx reauth required" will consider it a fatal error. They like that default. > ---------- > From: David W. Morris[SMTP:dwm@xpasc.com] > Sent: Monday, November 24, 1997 10:34 AM > To: Paul Leach > Cc: 'http-wg'; 'Jim Gettys'; 'http-wg' > Subject: RE: REAUTHENTICATION REQUIRED > > > > On Mon, 24 Nov 1997, Paul Leach wrote: > > > How about cookies? I've heard they are useful for tracking state... :-) > > > > As I understand it: cookie has a magic number in it. Magic number is > index > > into a table at the server. Table has timeout information. > > Cookies are one way to maintain state, munged URLs are another. Both > are more complex than needed if the client is simply given a timeout. > > Servers which want more precision or actually require a stateful > interaction will of course maintain their own timeouts. But for basic > access to a secured set of WEB resources, having the client provide > the timing keeps everything simpler. > >
Received on Monday, 24 November 1997 10:49:24 UTC