xml-dev - RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

[ Lists Home | Date Index | Thread Index ]

To: "Rich Salz" <rsalz@datapower.com>,"Elliotte Rusty Harold" <elharo@metalab.unc.edu>
Subject: RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
From: "Joshua Allen" <joshuaa@microsoft.com>
Date: Mon, 5 Jan 2004 12:31:30 -0800
Cc: "Edd Dumbill" <edd@usefulinc.com>,"David Kunkel" <DKunkel@idealliance.org>,"XML-DEV" <xml-dev@lists.xml.org>
Thread-index: AcPTvVZhmSO1D8U9RmiYAuzeCJgtGQADR/dQ
Thread-topic: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

> > Why do sites insist on using cookies for user authentication?
> 
> HTTP auth requires SSL for all connections or else passwords can be
> stolen -- do you include that in your "setup in 5 minutes" overhead?
> With cookies, you only need SSL on the login page if you make the
cookie
> be an opaque ID into server state that has a time-out.  In general,
> login cookies are more secure with less overhead.

The login token stored in the cookie can always be embedded in the URL
path, which is what ASP.NET does when you set the "cookieless auth"
setting to true.  I've also done this in non-ASP systems, though not
sure how easy to configure in idealliance specific case.

Follow-Ups:
- RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: "Bob Wyman" <bob@wyman.us>
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
  - From: Rich Salz <rsalz@datapower.com>

Prev by Date: RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
Next by Date: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
Previous by thread: RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
Next by thread: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
Index(es):
- Date
- Thread