* Gaurav Vaish: > Can we have a header called Auth-ID which may perform the task of a > session-ID. Instead of putting in form-data or part-of-URL (which > leads to a must-form-on-every-request) or as cookies (sometimes > disabled, for good reasons as mentioned in thread), we can have it as > a separate header. Your proposal does not address one of the problems raised in Section 2.2.2 of RFC 2964: Similarly, HTTP State Management SHOULD NOT be used to authenticate user requests if unauthorized requests might have undesirable side- effects for the user, unless the user is aware of the potential for such side-effects and explicitly consents to such use. For example, a service which allowed a user to order merchandise with a single "click", based entirely on the user's stored "cookies", could inconvenience the user by requiring her to dispute charges to her credit card, and/or return the unwanted merchandise, in the event that the cookies were exposed to third parties. Nowadays, this is called "Cross-Site Request Forgery", or "Session Riding". Standardizing some cookie-lookalike which doesn't address this problem seems rather pointless to me. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf