- From: Phillip Hallam-Baker <hallam@gmail.com>
- Date: Wed, 14 Nov 2012 21:02:49 -0500
- To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-ID: <CAMm+Lwgc8b0nShWa2O8HNBDFKkdcpS0Hj483Y0ix8L8jVeQZhg@mail.gmail.com>
As people will have noticed, using cookies as bearer tokens for authentication/authorization is a really bad idea. The fact that the information is static means that the cookies are vulnerable to cookie stealing through all sorts of weird and not-wonderful ways of which CRIME and BEAST represent the hard way to do things. WebSec is looking at mechanisms that shut down some of the most egregious known vectors for cookie leakage but we are not going to have a satisfactory Web authentication infrastructure unless we can stop using bearer tokens for authentication. I have updated my draft describing an approach to addressing this issue by defining a new HTTP header whose purpose is to carry the session continuation data once an authentication context has been established. The means by which the session is established is out of scope for the document though I have put in a sketch of a design for explanatory purposes. The idea is that regardless of how the authentication session is established (Kerberos, SAML, OpenID, WS-*, new HTTP schemes) the same mechanism can be used to apply that context to subsequent messages. http://tools.ietf.org/html/draft-hallambaker-httpintegrity-02 -- Website: http://hallambaker.com/
Received on Thursday, 15 November 2012 02:03:16 UTC