W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2021

Re: WWW-Authenticate proposal: timeout flag

From: Soni L. <fakedme+http@gmail.com>
Date: Thu, 29 Apr 2021 17:50:53 -0300
To: Daniel Stenberg <daniel@haxx.se>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <e1f38a82-fc43-f420-63fa-68604721d536@gmail.com>

On 2021-04-29 5:42 p.m., Daniel Stenberg wrote:
> On Thu, 29 Apr 2021, Soni L. wrote:
>> We'd like to be able to specify a timeout value for WWW-Authenticate,
>> in particular `timeout=0` so the HTTP authentication can be converted
>> into session cookies rather than sending the password in plaintext
>> (sure, it gets sent over TLS, but that doesn't matter) on every
>> request. Would anyone be interested in such proposal?
> What should happen when the time runs out? Is that just an ask to the
> client that it should drop the auth status at that point?
> I don't think this is enough to make people stop using cookies for
> logged in session status even if you would get someone to adopt.

It's to stop using forms, not cookies. Cookies are more secure because
they don't keep re-sending the password such that a malicious or
compromised server could exfiltrate the plaintext. Using cookies for
logged in session status is a good thing.
Received on Thursday, 29 April 2021 20:51:09 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 29 April 2021 20:51:10 UTC