- From: Rafal Pietrak <cookie.rp@ztk-rp.eu>
- Date: Fri, 30 Apr 2021 13:33:06 +0200
- To: ietf-http-wg@w3.org
Hi everyone, W dniu 29.04.2021 o 22:50, Soni L. pisze: > > > On 2021-04-29 5:42 p.m., Daniel Stenberg wrote: >> On Thu, 29 Apr 2021, Soni L. wrote: >> >>> We'd like to be able to specify a timeout value for WWW-Authenticate, >>> in particular `timeout=0` so the HTTP authentication can be converted >>> into session cookies rather than sending the password in plaintext >>> (sure, it gets sent over TLS, but that doesn't matter) on every >>> request. Would anyone be interested in such proposal? >> >> What should happen when the time runs out? Is that just an ask to the >> client that it should drop the auth status at that point? >> >> I don't think this is enough to make people stop using cookies for >> logged in session status even if you would get someone to adopt. >> > > It's to stop using forms, not cookies. Cookies are more secure because > they don't keep re-sending the password such that a malicious or > compromised server could exfiltrate the plaintext. Using cookies for > logged in session status is a good thing. > Still, cookies have their problems. Would somebody be so kind and have a look at my proposal regarding cookies at: https://datatracker.ietf.org/doc/draft-pietrak-cookie-scope/ ... and naturally give it a comment or two :) Best regards, -R -- RafaĆ Pietrak
Received on Friday, 30 April 2021 11:33:29 UTC