Re: [access-control] non-GET threat model and authorization choreography from Anne van Kesteren on 2007-10-09 (public-appformats@w3.org from October 2007)

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 09 Oct 2007 13:59:55 +0200
To: "Henri Sivonen" <hsivonen@iki.fi>, "Jonas Sicking" <jonas@sicking.cc>
Cc: public-appformats@w3.org
Message-ID: <op.tzxh95iq64w2qv@annevk-t60.oslo.opera.com>

On Tue, 09 Oct 2007 13:15:06 +0200, Henri Sivonen <hsivonen@iki.fi> wrote:
> [...]

Ok, so here are some potential solutions to this problem:

   1. Use something other than GET.

   2. Keep an _independent_ HTTP cache for access request checks.

   3. Store the result of an access request check in a table. Invalidate  
this
      result at the end of a browser session.

   4. Store the result of an access request check in a table along with a
      timeout time from a dedicated HTTP header. Invalidate this result  
after
      the timeout time has been reached. If there is no timeout time do not
      store the result.

I don't think 1 is really an option. I can't really judge the feasability  
of 2. 3 seems annoying for debugging. 4 seems relatively easy to specify  
and can work on top of the existing HTTP cache for the URI.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Tuesday, 9 October 2007 12:00:09 UTC