W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] Solving the login/logout problem in HTML

From: Asbjørn Ulsberg <list@asbjorn.ulsberg.no>
Date: Thu, 27 Nov 2008 21:30:29 +0100
Message-ID: <op.ulaolhd8flu5h5@quark-mac-pro.local>
On Wed, 26 Nov 2008 23:42:33 +0100, Calogero Alex Baldacchino <alex.baldacchino at email.it> wrote:

> Martin Atkins wrote:
>> Your auth token here seems to me to be equivalent to a session cookie.

Yes, it does. But since session cookies are just that: cookies -- it isn't. An authentication token is different from a session cookie in that it can be persistent, based on the user's preferences, it won't be blocked by default anywhere (once supported, that is) since it isn't using the same fragile technology used by advertisers to track users and wreck their privacy and it won't have any of the problems cookies have since it isn't a cookie.

> Perhaps that token was meant as a cross-session one, surviving untill an 
> explicit logout

Yes, among other things. Since we're inventing a new token here, we can place any semantics and functionality in it we want. Re-using cookies would take us exactly zero steps in the right direction. Cookies have their place, but authentication is theoretically imho not one of them. In practice, there's really no other alternative today.

Asbj?rn Ulsberg         -=|=-          asbjorn at ulsberg.no
?He's a loathsome offensive brute, yet I can't look away?
Received on Thursday, 27 November 2008 12:30:29 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC