- From: Soni L. <fakedme+http@gmail.com>
- Date: Thu, 29 Apr 2021 17:50:53 -0300
- To: Daniel Stenberg <daniel@haxx.se>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 2021-04-29 5:42 p.m., Daniel Stenberg wrote: > On Thu, 29 Apr 2021, Soni L. wrote: > >> We'd like to be able to specify a timeout value for WWW-Authenticate, >> in particular `timeout=0` so the HTTP authentication can be converted >> into session cookies rather than sending the password in plaintext >> (sure, it gets sent over TLS, but that doesn't matter) on every >> request. Would anyone be interested in such proposal? > > What should happen when the time runs out? Is that just an ask to the > client that it should drop the auth status at that point? > > I don't think this is enough to make people stop using cookies for > logged in session status even if you would get someone to adopt. > It's to stop using forms, not cookies. Cookies are more secure because they don't keep re-sending the password such that a malicious or compromised server could exfiltrate the plaintext. Using cookies for logged in session status is a good thing.
Received on Thursday, 29 April 2021 20:51:09 UTC