On Fri, Jul 20, 2012 at 12:36 PM, Phillip Hallam-Baker <hallam@gmail.com>wrote:
> [snip]
>
> There are in fact two separate authentication concerns in HTTP:
>
> 1) How does the service determine that Alice is making the request on
> behalf of 'alice' at the start of a session?
>
> 2) How does the service re-authenticate subsequent requests in the
> same session (which may span multiple TCP/HTTP sessions).
>
>
> If the session ID is being used as a proxy for authentication, I would
> prefer to do the job right.
>
That's precisely it... at least when we're talking about session ID's at
the application level. Perhaps this is just a matter of (a) defining a
protocol-level routing token mechanism and (b) defining a reasonable
stateful-authentication scheme and leverage both to encourage developers
away from the abuse of cookies for both of these uses.
- James