Re: example for OOBC with cookies (was Re: change proposal)

On Jun 26, 2013, at 4:06 AM, Ronan Heffernan wrote:

>    I agree that any attempt to manipulate out-of-band via an in-band mechanism is a problem.  Regarding in-band UGE, however, cookies seem like a poor way to store those exceptions, since cookies get cleared so often.

My assumption is that the UGE will never be implemented in practice
in a way that is consistently usable across browsers and capable
of being trusted by servers.  Hence, my bar is relatively low.

However, I didn't say that browsers would be required to implement
them as normal cookies or let them be reset like cookies.  The
Cookie protocol would simply be used for their communication, which
has the benefit of being backwards compatible with older browsers
that do not implement any form of exceptions.  A newer browser
could choose to process and store these cookies separately from
the normal cookie store (or simply protect them from being reset)
if longevity is desired by the UA.

Note, however, that it is very likely that the tools which currently
reset cookies will be updated to also reset anything else that
looks like client-side state, including whatever we define for
a UGE, so the notion that UGEs are somehow more persistent than
cookies is unlikely to hold up long, even if the browsers
implement them according to the spec.

....Roy

Received on Wednesday, 26 June 2013 13:32:32 UTC