Hi Arian, > Good points James. I read this paper a few times to make sure I got > the point, and it's a cute idea but I just don't see it happening. Pessimism is understandable; I don't fault you for that. > For multi-node, multi-app, websites sharing auth/state/preferences > across multiple web assets (physical servers and logical "websites") > this is pretty much a non-starter. Cookies rule here. For a dozen > different reasons that I can think of. Well, I'm sure you read this, but digest auth can do SSO to, arguably better. Whatever wrappers frameworks put around cookies, which are a very simple primitive, can be wrapped around digest auth too. > Always good to try and raise the bar, but the world has voted cookies > (thanks Lou!) and I think they are here to stay for at least the next > decade. Definitely, they aren't going away, but we should start phasing them out of authentication. What the replacement is may be up in the air, but the bottom line is: Cookies were a terrible idea for authentication when they were first introduced and they are still a bad idea. We've been hit over the head with this for years. > Oh, yeah, and marketing rules the world, and web sales and marketing > (and Google) LOVE cookies. So that is what it is and I really don't > see that changing until they can inject a tracking device into your > body. As the paper points out, these business drivers act against making cookie primitives more usable for session management. Thanks for taking the time to read it, tim
