Hi James, > Great writeup of the state of the union for Web-based authentication > methods. Thanks. It is far from complete in that sense, but I hope it illustrates the frog-in-the-frying-pan state we are in with session cookies. > As you mention, your paper is primarily an argument for fixing HTTP > auth. That might make a better title for it, in fact, since that does > seem to be the primary thrust of the arguments presented. Or at least, > "If We Wean the Web Off of Session Cookies, This Is Some of What We'd > Have to do". I wasn't convinced at all that Weaning the Web Off of > Session Cookies was the logical conclusion of the data you presented. I had a hard time conveying what I wanted to with the title. As far as being convincing, well, I guess it's a matter of perspective. > To solve problems with forms-based auth + session tokens, we only have > to fix some things in Web app frameworks, many of which have already > been fixed in major platforms. Predictable session identifiers, for > instance, pretty much died out years ago. Yes, but app frameworks come and go. I think session cookies will continue to be a "maintenance" problem with respect to security. In addition, cookies are a pretty limited mechanism for providing more secure protocols. For instance, if I wanted to implement something like SRP <http://srp.stanford.edu/>, I can't simply treat the browser as a dumb repeater of cookie values. It needs to interact in a protocol-specific way that is much better suited to use in HTTP auth. A great example of this is Mutual authentication <https://www.rcis.aist.go.jp/special/MutualAuth/>, which implements SRP and can provide protection from phishing attacks. > To migrate to HTTP Digest > Auth, not only would we have to fix a few things in Web app > frameworks, we'd have to refactor a massive amount of custom code AND > convince all major browser vendors all to do the same right things and > THEN force everyone to update their UA to the latest version. > > I'm not sure you've identified the path of least resistance! :) It may not be a simple fix, but the first steps shouldn't have much resistance. While digest authentication isn't the best password protocol out there, it's almost usable right now and provides tangible security benefits for those adventurous developers who are willing to work around browser limitations. With some very small changes in browser behavior, form-based HTTP authentication becomes truly possible without ugly hacks. From there, I think it can gain some real traction under it's own merits. Of course some apps will always use cookies for flexibility or backward compatibility, but I don't see cookies *advancing* the safety of web authenticaiton. HTTP authentication schemes can do that. Thanks for the feedback, tim
