- From: Dan Brotsky <dbrotsky@adobe.com>
- Date: Tue, 17 Sep 2002 01:13:04 -0700
- To: Webdav WG <w3c-dist-auth@w3.org>
> > Lisa Dusseault wrote: > >> RFC 2518 is silent on cookies.... it was proposed that RFC2518 bis >> ... say that >> "clients SHOULD support cookies". I also strongly oppose any mention of cookies, and would vehemently oppose any proposal that clients SHOULD support cookies with WebDAV. In addition to all the very good arguments mentioned so far, I would add that the cookie spec *requires* providing explicit user control of the use of cookies. This means that clients which support cookies have to support a whole bunch of UI that has arguably nothing to do with distributed authoring, either complicating their user model or forcing them to tie together the use of their client with the use of a browser (where cookie control UI typically lives). By the way, Adobe has yet to test against a WebDAV server that does cookie-based authentication that did not (in our view) start out with some serious security holes. Even our own implementations, for use with servers that provided Web-based UIs, took months to get to a reasonably-secure place. If I were to advocate that the spec say anything about cookies, it would be that servers SHOULD NOT use cookies as an authentication mechanism. dan
Received on Tuesday, 17 September 2002 04:13:42 UTC