[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Auth]meeting notes and LOC

From: Mario D. Santana
Subject: Re: [Auth]meeting notes and LOC
Date: Wed, 10 Jul 2002 09:11:14 -0400

address@hidden wrote:
> Cookies have security issues associated them. [...]
> But, I think that more so, [...]
> Webservices != web browser.

I agree. But there are situations where either there is no choice (do 
it with a browser or not at all,) or the convenience outweighs the 
security concerns.

The answer, of course, is to push the cookies away from the framework.
Cookies are only the way we'll protect resources that are served to
thin-client browsers. For webservice resources that serve custom or
extensible or otherwise "smart enough" clients, we can go to town. Both
types of security will use the same framework.

MACS, for example, is protecting a couple of extranets and a discussion
server. The extranets have cookie-based protection (over SSL and all
that, like you mentioned.) The NNTP service doesn't even have the concept
of cookies -- it's tied into the framework in whichever way makes the
most sense for that particular application.

As always, it's about choice. Don't lets assume we know what's best for 
the user/integrator/developer.



Be braver -- you can't cross a chasm in two small leaps.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]