- From: Ross Nicoll <jrn@jrn.me.uk>
- Date: Fri, 20 Jul 2012 13:45:50 +0100
- To: ietf-http-wg@w3.org
On 20/07/2012 13:35, Poul-Henning Kamp wrote: > In message <8d6b6668433e8aa7c67601ab9b0f485d.squirrel@arekh.dyndns.org>, "Nicol > as Mailhot" writes: > >> The problem if you do it this way is that: >> 3. the user agent has no information if it should share the id with >> another site or not > Ohh, that's the disconnect: It should _never_ share the session-id > with any other site, that's sort of the entire point. We rather do want sites to share session IDs, actually, so we can do easy single-sign-on. At the moment we fairly much only do this within a domain, but in the future we might see something like Project Moonshot ( http://www.project-moonshot.org/ ) providing single-sign-on for all UK academic institutions (this is really useful for cases such as external examiners being able to access resources in institutions not their own, for example). Of course, we do also want to control how session IDs are shared (I don't think it's something I'd want my bank doing!)
Received on Friday, 20 July 2012 12:46:19 UTC