- From: Aaron Coburn <acoburn@apache.org>
- Date: Mon, 4 May 2020 19:19:49 -0400
- To: Martynas Jusevičius <martynas@atomgraph.com>
- Cc: Melvin Carvalho <melvincarvalho@gmail.com>, public-webid <public-webid@w3.org>
- Message-ID: <CAD4uyLdmQprx4qzfd=rC=L8mKjzaaVENsJX78aBQYCGrO+Aswg@mail.gmail.com>
> I think all Solid servers use cookies No, not all Solid server use cookies for authentication. Some don't use cookies at all, even when they use OIDC-based authentication. On Mon, 4 May 2020 at 18:49, Martynas Jusevičius <martynas@atomgraph.com> wrote: > WebID-TLS does not require a cookie. > > On Tue, 5 May 2020 at 00.14, Melvin Carvalho <melvincarvalho@gmail.com> > wrote: > >> Was chatting to Kingsley and Dmitri lately and I realized that quite >> often WebID over HTTP is authenticated via a shared secret. Namely a >> cookie. >> >> We realized that this is not documented anywhere. And I asked dmitri >> about it usage. Im just capturing the responses here. >> >> "I think all Solid servers use cookies (and store the WebID in the cookie >> session) as a local authentication method, in addition to TLS and OIDC. >> It's very convenient; the only reason it's not the main mechanism is of >> course, it's domain-specific." >> >> and >> >> "I don't think it's written up anywhere. I think it's because each >> implementation's cookie session mechanism is slightly different. >> But usually, it goes like: >> >> 1. When a user logs in (via username and password, or TLS, or OIDC >> token), you put their WebID in your session. (request.session.webId = >> <user's authenticated webId>) >> 2. In all the other requests, you just use request.session.webId directly. >> >> And the server's (Express.js, or whatever the other ones are using) >> session cookie store takes care of it." >> >> This actually might be one of the more common types of WebID auth. >> >> Would it be worth writing up, and should it be called: >> >> WebID + Cookie or >> WebID + Shared Secret? >> >
Received on Monday, 4 May 2020 23:20:16 UTC