W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2021

Re: WWW-Authenticate proposal: timeout flag

From: Rafal Pietrak <cookie.rp@ztk-rp.eu>
Date: Fri, 30 Apr 2021 13:33:06 +0200
To: ietf-http-wg@w3.org
Message-ID: <b49b4943-0e12-b219-46b7-9988b3d3311f@ztk-rp.eu>
Hi everyone,

W dniu 29.04.2021 o 22:50, Soni L. pisze:
> On 2021-04-29 5:42 p.m., Daniel Stenberg wrote:
>> On Thu, 29 Apr 2021, Soni L. wrote:
>>> We'd like to be able to specify a timeout value for WWW-Authenticate,
>>> in particular `timeout=0` so the HTTP authentication can be converted
>>> into session cookies rather than sending the password in plaintext
>>> (sure, it gets sent over TLS, but that doesn't matter) on every
>>> request. Would anyone be interested in such proposal?
>> What should happen when the time runs out? Is that just an ask to the
>> client that it should drop the auth status at that point?
>> I don't think this is enough to make people stop using cookies for
>> logged in session status even if you would get someone to adopt.
> It's to stop using forms, not cookies. Cookies are more secure because
> they don't keep re-sending the password such that a malicious or
> compromised server could exfiltrate the plaintext. Using cookies for
> logged in session status is a good thing.

Still, cookies have their problems.

Would somebody be so kind and have a look at my proposal regarding
cookies at: https://datatracker.ietf.org/doc/draft-pietrak-cookie-scope/

... and naturally give it a comment or two :)

Best regards,

Rafał Pietrak
Received on Friday, 30 April 2021 11:33:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 30 April 2021 11:33:30 UTC