OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

[ Lists Home | Date Index | Thread Index ]

> > Why do sites insist on using cookies for user authentication?
> HTTP auth requires SSL for all connections or else passwords can be
> stolen -- do you include that in your "setup in 5 minutes" overhead?
> With cookies, you only need SSL on the login page if you make the
> be an opaque ID into server state that has a time-out.  In general,
> login cookies are more secure with less overhead.

The login token stored in the cookie can always be embedded in the URL
path, which is what ASP.NET does when you set the "cookieless auth"
setting to true.  I've also done this in non-ASP systems, though not
sure how easy to configure in idealliance specific case.


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS