HTTP Integrity Header / Session Continuation mechanism

As people will have noticed, using cookies as bearer tokens for
authentication/authorization is a really bad idea. The fact that the
information is static means that the cookies are vulnerable to cookie
stealing through all sorts of weird and not-wonderful ways of which CRIME
and BEAST represent the hard way to do things.

WebSec is looking at mechanisms that shut down some of the most egregious
known vectors for cookie leakage but we are not going to have a
satisfactory Web authentication infrastructure unless we can stop using
bearer tokens for authentication.

I have updated my draft describing an approach to addressing this issue by
defining a new HTTP header whose purpose is to carry the session
continuation data once an authentication context has been established. The
means by which the session is established is out of scope for the document
though I have put in a sketch of a design for explanatory purposes. The
idea is that regardless of how the authentication session is established
(Kerberos, SAML, OpenID, WS-*, new HTTP schemes) the same mechanism can be
used to apply that context to subsequent messages.


Received on Thursday, 15 November 2012 02:03:16 UTC