Jeff King <peff@xxxxxxxx> wrote: > On Thu, Oct 08, 2009 at 10:22:45PM -0700, Shawn O. Pearce wrote: > > +Servers MUST NOT require HTTP cookies for the purposes of > > +authentication or access control. > > [...] > > +Servers MUST NOT require HTTP cookies in order to function correctly. > > Why not? I can grant that the current git implementation probably can't > handle it, but keep in mind this is talking about the protocol and not > the implementation. Good point... this document is about trying to explain the common functionality that everyone can agree on. > And I can see it being useful for sites like github > which already have a cookie-based login. What I'm concerned about is using the cookie jar. My Mac OS X laptop has 5 browsers installed, each with their own #@!*! cookie jar: Safari, Opera, Firefox, Camino, Google Chrome. How the hell is the git client going to be able to use those cookies in order to interact with a website that requires cookie authentication? > Adapting the client to handle > this case would not be too difficult (it would just mean keeping cookie > state in a file between runs, Saving our own cookie jar is easy, libcurl has some limited cookie jar support already built in. We just have to enable it. > or even just pulling it out of the normal > browser's cookie store). See above, I don't think this will be very easy. > And people whose client didn't do this would > simply get an "access denied" response code. And then they will email git ML or ask on #git why their git client can't speak to some random website... and its because they used "lynx" or yet-another-browser whose cookie jar format we can't read. > Is there a technical reason not to allow it? Not technical, but I want to reduce the amount of complexity that a conforming client has to deal with to reduce support costs for everyone involved. I weakend the sections on cookies: + Authentication + -------------- .... + Servers SHOULD NOT require HTTP cookies for the purposes of + authentication or access control. and that's all we say on the matter. I took out the Servers MUST NOT line under session state. -- Shawn. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html