Re: Introducing a Session header... from James M Snell on 2012-07-20 (ietf-http-wg@w3.org from July to September 2012)

From: James M Snell <jasnell@gmail.com>
Date: Fri, 20 Jul 2012 12:51:26 -0700
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: Roberto Peon <grmocg@gmail.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>, Philippe Mougin <pmougin@acm.org>
Message-ID: <CABP7Rbc-W_WyWZ2Zqv95pQN7TU31sM4OUNTG4c_5oTdKHKi3ig@mail.gmail.com>

On Fri, Jul 20, 2012 at 12:36 PM, Phillip Hallam-Baker <hallam@gmail.com>wrote:

> [snip]
>
> There are in fact two separate authentication concerns in HTTP:
>
> 1) How does the service determine that Alice is making the request on
> behalf of 'alice' at the start of a session?
>
> 2) How does the service re-authenticate subsequent requests in the
> same session (which may span multiple TCP/HTTP sessions).
>
>
> If the session ID is being used as a proxy for authentication, I would
> prefer to do the job right.
>

That's precisely it... at least when we're talking about session ID's at
the application level. Perhaps this is just a matter of (a) defining a
protocol-level routing token mechanism and (b) defining a reasonable
stateful-authentication scheme and leverage both to encourage developers
away from the abuse of cookies for both of these uses.

- James

Received on Friday, 20 July 2012 19:52:14 UTC