Re: Introducing a Session header...

On Fri, Jul 20, 2012 at 12:36 PM, Phillip Hallam-Baker <>wrote:

> [snip]
> There are in fact two separate authentication concerns in HTTP:
> 1) How does the service determine that Alice is making the request on
> behalf of 'alice' at the start of a session?
> 2) How does the service re-authenticate subsequent requests in the
> same session (which may span multiple TCP/HTTP sessions).
> If the session ID is being used as a proxy for authentication, I would
> prefer to do the job right.

That's precisely it... at least when we're talking about session ID's at
the application level. Perhaps this is just a matter of (a) defining a
protocol-level routing token mechanism and (b) defining a reasonable
stateful-authentication scheme and leverage both to encourage developers
away from the abuse of cookies for both of these uses.

- James

Received on Friday, 20 July 2012 19:52:14 UTC