- From: Phillip Hallam-Baker <hallam@gmail.com>
- Date: Tue, 17 Jul 2012 20:23:47 -0400
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Martin Thomson <martin.thomson@gmail.com>, James M Snell <jasnell@gmail.com>, ietf-http-wg@w3.org
I would like to have a strong session cookie. That is a session cookie that is bound to some shared secret and a protocol that allows the client to provide a proof of knowledge of the secret with each request. The reason for this is that once the client has performed an initial authentication to the service (via password, OAUTH, OpenID, sheeps entrails, whatever) it can re-authenticate at very low cost on every successive request. This would be in addition to any authentication mechanism provided by TLS since TLS authentication is typically client authentication of the server and that is not server authentication of the client. This does not solve the HTTP authentication problem but it does break off a significant chunk for separate work.
Received on Wednesday, 18 July 2012 00:55:20 UTC