- From: Martin Thomson <notifications@github.com>
- Date: Mon, 19 May 2025 19:00:01 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 20 May 2025 02:00:06 UTC
@martinthomson commented on this pull request. > +In the proposed design, +the browser understands that when it makes a request to one of the resources that participates in the protocol, +it is expected to hold refreshed versions of the identified cookies. + +These cookies are expected to have very short validity periods. +The browser is able to refresh those cookies automatically by interacting with the session resource. +The main part of the protocol is the interactions between the browser and that session resource. + +Interactions with the session resource are a two-step process. +The first is a simple request that retrieves a fresh challenge. +The second posts a signature from the secret key over that challenge, +thereby proving to the server that the browser still has access to the key pair. +The response to the second request refreshes any of the affected cookies. + +This adds two round trips of latency every time that a cookie refresh is needed. +While some amount of delay is likely unavoidable, having two additional requests is fairly heavyweight. Yeah, I meant to cut this. ```suggestion ``` -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/pull/1094#discussion_r2096713325 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/pull/1094/review/2852325987@github.com>
Received on Tuesday, 20 May 2025 02:00:06 UTC