Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed

To: Gaurav Vaish <gaurav.vaish at gmail.com>
Subject: Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed
From: Florian Weimer <fw at deneb.enyo.de>
Date: Thu, 12 May 2005 09:32:20 +0200
Cc: David Morris <dwm at xpasc.com>, Keith Moore <moore at cs.utk.edu>, ietf at ietf.org
In-reply-to: <9391da2050512001278e1de17@mail.gmail.com> (Gaurav Vaish's message of "Thu, 12 May 2005 12:42:23 +0530")
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <874qd938ik.fsf@deneb.enyo.de> <Pine.LNX.4.33.0505111339150.25451-100000@egate.xpasc.com> <20050511184602.70ce49bb.moore@cs.utk.edu> <9391da2050512001278e1de17@mail.gmail.com>
Sender: ietf-bounces at ietf.org

* Gaurav Vaish:

>    Can we have a header called Auth-ID which may perform the task of a
> session-ID. Instead of putting in form-data or part-of-URL (which
> leads to a must-form-on-every-request) or as cookies (sometimes
> disabled, for good reasons as mentioned in thread), we can have it as
> a separate header.

Your proposal does not address one of the problems raised in Section
2.2.2 of RFC 2964:

   Similarly, HTTP State Management SHOULD NOT be used to authenticate
   user requests if unauthorized requests might have undesirable side-
   effects for the user, unless the user is aware of the potential for
   such side-effects and explicitly consents to such use.  For example,
   a service which allowed a user to order merchandise with a single
   "click", based entirely on the user's stored "cookies", could
   inconvenience the user by requiring her to dispute charges to her
   credit card, and/or return the unwanted merchandise, in the event
   that the cookies were exposed to third parties.

Nowadays, this is called "Cross-Site Request Forgery", or "Session
Riding".  Standardizing some cookie-lookalike which doesn't address
this problem seems rather pointless to me.

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed
  - From: Gaurav Vaish

References:
- Re: HTTP/1.1 Protocol: Help Needed
  - From: Florian Weimer
- Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed
  - From: David Morris
- Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed
  - From: Keith Moore
- Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed
  - From: Gaurav Vaish

Prev by Date: Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed
Next by Date: Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed
Previous by thread: Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed
Next by thread: Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Authentication/Session tracking question [was: HTTP/1.1 Protocol: Help Needed

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.