- From: Joe Orton <joe@manyfish.co.uk>
- Date: Mon, 16 Sep 2002 11:10:44 +0100
- To: Webdav WG <w3c-dist-auth@w3c.org>
On Sun, Sep 15, 2002 at 11:13:50AM -0700, Lisa Dusseault wrote: > RFC 2518 is silent on cookies. It requires support for RFC2068 (now > RFC2616), but does not reference the HTTP Cookie RFC (RFC 2965). > > Some WebDAV servers, however, rely on setting cookies to keep a session > for an unauthenticated user. For Basic authentication, cookies can > vastly reduce the number of times a nearly-clear-text password is sent > over the network, so cookies can make the interaction more secure. > > Session cookies are less secure than Digest authentication, however > servers with low security requirements and high performance requirements > may prefer to use cookies. > > In addition to being used for keeping sessions, cookies may be used to > keep track of other client preferences (this is theoretical as I do not > know of any actual examples). > > Thus, it was proposed that RFC2518 bis reference RFC2965, and say that > "clients SHOULD support cookies". I'd strongly oppose that and hope the DAV spec remains silent on cookie support. There is a whole section in RFC2964 discouraging the use of cookies as an authentication mechanism. Regards, joe
Received on Monday, 16 September 2002 06:10:46 UTC