- From: Sylvain Hellegouarch <sh@defuze.org>
- Date: Mon, 12 Jun 2006 13:02:42 +0100 (BST)
- To: "HTTP Working Group" <ietf-http-wg@w3.org>
> > Roy T. Fielding wrote: >> All cookies are non-secure. Using them for security purposes (like >> access control) is just begging for security holes. > > Yes and no. They're less secure in the sense that they're not > typically stored as carefully. They're more secure in the sense that > with cookies a site can remove access under the site's control by > removing access from a particular cookie value, e.g. to implement a > login timeout policy, explicit logout button, single-client access or > whatever the site's policy. > > It's no coincidence that almost every site on the net uses cookies for > access control, rather than HTTP user/password. It certainly is not > due to lack of security considerations. Could not this be done via Digest Auth if browsers provided an API (understand via accessiblity from Javascript) allowing web app developers to nicely integrate the login/password fields in their page instead of that ugly popup all browsers use? - Sylvain
Received on Monday, 12 June 2006 12:02:52 UTC