On Fri, May 13, 2005 at 09:26:59AM +0530, Gaurav Vaish wrote:
> > The deployment strategy has to come first, how can this address a
> > pain
> In both the cases, I think, it's trivial to have a small patch. MS
> already gives automatic updates for IE. Task for Mozilla is trivial.
> Safari -- Apple as also has automatic updates feature.
In the first place, it's not a small patch. (Well, OK, renaming the
cookie headers is a small patch. But somebody eventually would see
through that; to get more than 6-12 months out of this idea would
require more work than that.)
In the second place, not all HTTP clients come from the set {IE,
Mozilla, Safari}. In fact, if you look simply at the number of clients
(as opposed to weighting the number by the popularity), those are
probably a very small minority. And there are still archaic versions of
those three floating around.
> From developer's perspective -- most servers, specially J2EE and
> .Net based - used a central authentication / tracking system. So do
> most of the popular systems in PHP and Perl/CGI.
(I reiterate my second point above.)
> Websites no longer have to rely on cookie. Several times, as one of
> my friends in Yahoo says, users report that they are unable to login
> only to find that cookies have been disabled by the proxy server
> (transparent or otherwise) in their organizations.
Frequently, I suspect Yahoo is swimming upstream. There are good
reasons why cookies are blocked; relying on them is probably not the
best idea.
> btw, can you provide details of your proposal that you gave 1995?
> And what was Dave's proposal in 1992?
Uh, me, too.
> Remember, again, that the ID expires immediately. And there's a
> provision to unset. The former addresses Section 2.2.2 of RFC 2964
> (pointed out by Florian).
Does it? The Auth-ID is still transmitted in the clear, exposing it to
everything between the server and the client. And expiration wouldn't
automatically fix the problem of the client leaking the token.
--
Tommy McGuire
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf