Re: Introducing a Session header...

I would like to have a strong session cookie. That is a session cookie
that is bound to some shared secret and a protocol that allows the
client to provide a proof of knowledge of the secret with each
request.

The reason for this is that once the client has performed an initial
authentication to the service (via password, OAUTH, OpenID, sheeps
entrails, whatever) it can re-authenticate at very low cost on every
successive request.

This would be in addition to any authentication mechanism provided by
TLS since TLS authentication is typically client authentication of the
server and that is not server authentication of the client.


This does not solve the HTTP authentication problem but it does break
off a significant chunk for separate work.

Received on Wednesday, 18 July 2012 00:55:20 UTC