Re: Logout from Erik Aronesty on 2001-01-04 (ietf-http-wg@w3.org from January to March 2001)

From: Erik Aronesty <erik@primedata.org>
Date: Wed, 3 Jan 2001 21:23:15 -0500
To: "David W. Morris" <dwm@xpasc.com>
Cc: Tom McLaren <tom@mclaren.tc>, http-wg@cuckoo.hpl.hp.com
Message-ID: <1df901c075f5$703a9a60$cd4751d1@primedata.org>

So, "cookies win" because :

    - iis and netscape's support for http authentication are generally lousy

    - http-authentication standard has somehow "slipped" and has been
overlooked in each successive version

    - the "cookie standard" has progressed quickly and supports all of the
things that regular authentication should have supported a long time ago:

        - passing a "server key" to be added to the digest, which can then
be expired on the server
        - setting expiration times

                                            - Erik







----- Original Message -----
From: "David W. Morris" <dwm@xpasc.com>
To: "Erik Aronesty" <erik@primedata.org>
Cc: "Tom McLaren" <tom@mclaren.tc>; <http-wg@cuckoo.hpl.hp.com>
Sent: Wednesday, January 03, 2001 1:19 PM
Subject: Re: Logout


>
> On Wed, 3 Jan 2001, Erik Aronesty wrote:
>
> > The site cannot easily know whether or not the request was coming from
the
> > cache or the client... unless the cache tells it.
> >
> > Thus the server always relys on a "third party" (the browser or the
> > cache)... to manage or respect authentication "state".
> >
> > It's just an oversight that cookies are "expirable" (they have timeouts
and
> > they can be forced by the server to expire) and usernames/passwords
aren't.
> >
> > In a way, "cookies" are "more secure" than the security mechanisms built
> > into http.
>
> Except that as V1 cookies are implemented, once you set an expiration,
> even short on a cookie, it is written to the user's hard drive.  An
> immediate exposure which to me negates any value in a timeout.
>
> What makes cookies more secure is that they can be used via a random
> opaque token as the value to create a server side notion of a session
> which can have expirations, sliding timeouts, re-authentication, etc. And
> if an application logout button is clicked, the cookie can be totally
> reset by client side javascript OR a serverside update.
>
> I've led a number of teams building web based applications and have never
> found http level authentication worth using. The user experience is
> confusing at best, the server side authentication processing excessively
> complex, error handling impossible to control, etc. It takes writing your
> own web server or complex ISAPI/NSAPI exits to control the interaction
> with application authentication mechanisms.
>
> So again cookies win.
>
> Dave Morris
>
>
>

Received on Wednesday, 3 January 2001 18:25:50 UTC