Interop issue: Can we require clients to accept cookies?

RFC 2518 is silent on cookies.  It requires support for RFC2068 (now
RFC2616), but does not reference the HTTP Cookie RFC (RFC 2965).

Some WebDAV servers, however, rely on setting cookies to keep a session
for an unauthenticated user. For Basic authentication, cookies can
vastly reduce the number of times a nearly-clear-text password is sent
over the network, so cookies can make the interaction more secure.
Session cookies are less secure than Digest authentication, however
servers with low security requirements and high performance requirements
may prefer to use cookies.

In addition to being used for keeping sessions, cookies may be used to
keep track of other client preferences (this is theoretical as I do not
know of any actual examples).

Thus, it was proposed that RFC2518 bis reference RFC2965, and say that
"clients SHOULD support cookies". 

Discuss?
Lisa

Received on Sunday, 15 September 2002 14:14:37 UTC