- From: Dan Brotsky <dbrotsky@adobe.com>
- Date: Tue, 17 Sep 2002 01:13:04 -0700
- To: Webdav WG <w3c-dist-auth@w3.org>
>
> Lisa Dusseault wrote:
>
>> RFC 2518 is silent on cookies.... it was proposed that RFC2518 bis
>> ... say that
>> "clients SHOULD support cookies".
I also strongly oppose any mention of cookies, and would vehemently
oppose any proposal that clients SHOULD support cookies with WebDAV.
In addition to all the very good arguments mentioned so far, I would
add that the cookie spec *requires* providing explicit user control of
the use of cookies. This means that clients which support cookies have
to support a whole bunch of UI that has arguably nothing to do with
distributed authoring, either complicating their user model or forcing
them to tie together the use of their client with the use of a browser
(where cookie control UI typically lives).
By the way, Adobe has yet to test against a WebDAV server that does
cookie-based authentication that did not (in our view) start out with
some serious security holes. Even our own implementations, for use
with servers that provided Web-based UIs, took months to get to a
reasonably-secure place.
If I were to advocate that the spec say anything about cookies, it
would be that servers SHOULD NOT use cookies as an authentication
mechanism.
dan
Received on Tuesday, 17 September 2002 04:13:42 UTC