[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Auth]meeting notes and LOC
From: |
Mario D. Santana |
Subject: |
Re: [Auth]meeting notes and LOC |
Date: |
Wed, 10 Jul 2002 09:11:14 -0400 |
address@hidden wrote:
> Cookies have security issues associated them. [...]
>
> But, I think that more so, [...]
> Webservices != web browser.
I agree. But there are situations where either there is no choice (do
it with a browser or not at all,) or the convenience outweighs the
security concerns.
The answer, of course, is to push the cookies away from the framework.
Cookies are only the way we'll protect resources that are served to
thin-client browsers. For webservice resources that serve custom or
extensible or otherwise "smart enough" clients, we can go to town. Both
types of security will use the same framework.
MACS, for example, is protecting a couple of extranets and a discussion
server. The extranets have cookie-based protection (over SSL and all
that, like you mentioned.) The NNTP service doesn't even have the concept
of cookies -- it's tied into the framework in whichever way makes the
most sense for that particular application.
As always, it's about choice. Don't lets assume we know what's best for
the user/integrator/developer.
Cheers!
mds
--
Be braver -- you can't cross a chasm in two small leaps.