- From: Clemm, Geoff <gclemm@rational.com>
- Date: Mon, 16 Sep 2002 07:16:34 -0400
- To: Webdav WG <w3c-dist-auth@w3c.org>
I agree with Stefan (i.e. that nothing about cookies should appear in 2518bis), for the reasons he states, unless I hear a compelling argument for why clients should be required to accept cookies in order for WebDAV to work properly. Cheers, Geoff -----Original Message----- From: Stefan Eissing [mailto:stefan.eissing@greenbytes.de] Sent: Monday, September 16, 2002 4:44 AM To: Lisa Dusseault Cc: Webdav WG Subject: Re: Interop issue: Can we require clients to accept cookies? Am Sonntag den, 15. September 2002, um 20:13, schrieb Lisa Dusseault: > > RFC 2518 is silent on cookies. It requires support for RFC2068 (now > RFC2616), but does not reference the HTTP Cookie RFC (RFC 2965). > > Some WebDAV servers, however, rely on setting cookies to keep a session > for an unauthenticated user. For Basic authentication, cookies can > vastly reduce the number of times a nearly-clear-text password is sent > over the network, so cookies can make the interaction more secure. > Session cookies are less secure than Digest authentication, however > servers with low security requirements and high performance > requirements > may prefer to use cookies. > > In addition to being used for keeping sessions, cookies may be used to > keep track of other client preferences (this is theoretical as I do not > know of any actual examples). > > Thus, it was proposed that RFC2518 bis reference RFC2965, and say that > "clients SHOULD support cookies". I think we agree that a server should not depend on the client handling cookies. WebDAV needs to function without them. Therefore the spec should not mention them. I see the risk that servers or client implementors might be tempted to rely on it. It is certainly a good idea to collect implementation advice in some FAQ or the webdav book of why. //Stefan
Received on Monday, 16 September 2002 07:17:38 UTC