- From: Daniel Stenberg <daniel@haxx.se>
- Date: Thu, 29 Apr 2021 22:42:09 +0200 (CEST)
- To: "Soni L." <fakedme+http@gmail.com>
- cc: HTTP Working Group <ietf-http-wg@w3.org>
On Thu, 29 Apr 2021, Soni L. wrote: > We'd like to be able to specify a timeout value for WWW-Authenticate, in > particular `timeout=0` so the HTTP authentication can be converted into > session cookies rather than sending the password in plaintext (sure, it gets > sent over TLS, but that doesn't matter) on every request. Would anyone be > interested in such proposal? What should happen when the time runs out? Is that just an ask to the client that it should drop the auth status at that point? I don't think this is enough to make people stop using cookies for logged in session status even if you would get someone to adopt. -- / daniel.haxx.se
Received on Thursday, 29 April 2021 20:42:28 UTC