Cookie-based HTTP Authentication (draft-broyer-http-cookie-auth-00) from Thomas Broyer on 2009-01-05 (ietf-http-wg@w3.org from January to March 2009)

From: Thomas Broyer <t.broyer@ltgt.net>
Date: Mon, 5 Jan 2009 01:25:13 +0100
To: ietf-http-auth@osafoundation.org
Cc: ietf-http-wg@w3.org, public-html <public-html@w3.org>, whatwg@whatwg.org
Message-ID: <a9699fd20901041625j68bcdf01h1bc6430f803c73dc@mail.gmail.com>

Hi all,

As I previously said, I spent some holiday time to put my thoughts
about "RFC2617-compliant cookie-based authentication" into an Internet
Draft.
Today is my birthday (and the last day of my holidays) so I thought I
should do something special. I therefore submitted version 00 of my
work ("release early, release often" they said).

As written in the draft, discussion should go to the ietf-http-auth
list (if it happened to not be the appropriate list, please tell me so
I can fix it in the next version).

The Security Considerations section is not yet complete but for this
00 draft I though the overall authentication process was the most
important (have a look at the examples too).

Thanks in advance for your feedback.

(My intent is to publish some kind of "reference implementations" and
"proof of concepts" in various languages later in my mercurial
repository http://broyer.info/hg/http-cookie-auth/ but if you'd like
to contribute now, just send me your code!)


---------- Forwarded message ----------
From: IETF I-D Submission Tool <idsubmission@ietf.org>
Date: Mon, Jan 5, 2009 at 1:15 AM
Subject: New Version Notification for draft-broyer-http-cookie-auth-00
To: t.broyer@ltgt.net



A new version of I-D, draft-broyer-http-cookie-auth-00.txt has been
successfuly submitted by Thomas Broyer and posted to the IETF
repository.

Filename:        draft-broyer-http-cookie-auth
Revision:        00
Title:           Cookie-based HTTP Authentication
Creation_date:   2009-01-04
WG ID:           Independent Submission
Number_of_pages: 11

Abstract:
This document specifies an HTTP authentication scheme for use when
credentials are validated by an out-of-band mechanism (not defined
here) and later communicated to the server through the use of a
cookie.  Which out-of-band mechanism should be used, and how, is
described by the 401 (Unauthorized) response body.  It is common
practice that this mechanism is an HTML form, sending the user's
credentials with the use of an HTTP POST request to a tier URL which
will set a cookie in response; though this document doesn't preclude
the use of other mechanisms.



The IETF Secretariat.





-- 
Thomas Broyer

Received on Monday, 5 January 2009 00:26:56 UTC