Re: Interop issue: Can we require clients to accept cookies?

On Sun, Sep 15, 2002 at 11:13:50AM -0700, Lisa Dusseault wrote:
> RFC 2518 is silent on cookies.  It requires support for RFC2068 (now
> RFC2616), but does not reference the HTTP Cookie RFC (RFC 2965).
> 
> Some WebDAV servers, however, rely on setting cookies to keep a session
> for an unauthenticated user. For Basic authentication, cookies can
> vastly reduce the number of times a nearly-clear-text password is sent
> over the network, so cookies can make the interaction more secure.
>
> Session cookies are less secure than Digest authentication, however
> servers with low security requirements and high performance requirements
> may prefer to use cookies.
>
> In addition to being used for keeping sessions, cookies may be used to
> keep track of other client preferences (this is theoretical as I do not
> know of any actual examples).
> 
> Thus, it was proposed that RFC2518 bis reference RFC2965, and say that
> "clients SHOULD support cookies". 

I'd strongly oppose that and hope the DAV spec remains silent on cookie
support.  There is a whole section in RFC2964 discouraging the use of
cookies as an authentication mechanism.

Regards,

joe

Received on Monday, 16 September 2002 06:10:46 UTC