Re: [http-state] cake and session stealing

Adam Barth <ietf@adambarth.com> Tue, 27 July 2010 09:27 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A9503A6A4D for <http-state@core3.amsl.com>; Tue, 27 Jul 2010 02:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.736
X-Spam-Level:
X-Spam-Status: No, score=-1.736 tagged_above=-999 required=5 tests=[AWL=0.241, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YMT9NZNn8HAJ for <http-state@core3.amsl.com>; Tue, 27 Jul 2010 02:27:26 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id 36D643A686B for <http-state@ietf.org>; Tue, 27 Jul 2010 02:27:26 -0700 (PDT)
Received: by yxj4 with SMTP id 4so467253yxj.31 for <http-state@ietf.org>; Tue, 27 Jul 2010 02:27:47 -0700 (PDT)
Received: by 10.100.243.24 with SMTP id q24mr9234563anh.183.1280222867779; Tue, 27 Jul 2010 02:27:47 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id e8sm4644876ibb.20.2010.07.27.02.27.46 (version=SSLv3 cipher=RC4-MD5); Tue, 27 Jul 2010 02:27:46 -0700 (PDT)
Received: by iwn38 with SMTP id 38so3853388iwn.31 for <http-state@ietf.org>; Tue, 27 Jul 2010 02:27:45 -0700 (PDT)
Received: by 10.231.149.12 with SMTP id r12mr5593509ibv.185.1280222865478; Tue, 27 Jul 2010 02:27:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.79.85 with HTTP; Tue, 27 Jul 2010 02:27:24 -0700 (PDT)
In-Reply-To: <8B0A9FCBB9832F43971E38010638454F03EB773754@SISPE7MB1.commscope.com>
References: <8B0A9FCBB9832F43971E38010638454F03EB773659@SISPE7MB1.commscope.com> <AANLkTi=2y+EDtyer3vn-eX8j-ao0U9jGnS-PDirqSojB@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F03EB773720@SISPE7MB1.commscope.com> <AANLkTikB-Xn-t-_0pHoY+9eWZueAUyXLfnd5cF=mJO9G@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F03EB77373E@SISPE7MB1.commscope.com> <AANLkTimEMK2O5ZMR1HR3gRTX6H8bwmifKVQ4FvPQxotu@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F03EB77374D@SISPE7MB1.commscope.com> <AANLkTi=dZ-9NsNGFyOaqQDUFkJZ3JKV024PpsGm=qg8s@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F03EB773754@SISPE7MB1.commscope.com>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 27 Jul 2010 11:27:24 +0200
Message-ID: <AANLkTinVGSmbF4Um+-5T32dMVu1v3EwFNSJUhaYgzZX7@mail.gmail.com>
To: "Thomson, Martin" <Martin.Thomson@andrew.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "http-state@ietf.org" <http-state@ietf.org>
Subject: Re: [http-state] cake and session stealing
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2010 09:27:27 -0000

Thanks.  I'll put together an I-D that explains the whole thing from
soup to nuts.

Adam


On Tue, Jul 27, 2010 at 11:23 AM, Thomson, Martin
<Martin.Thomson@andrew.com> wrote:
> OK, thanks Adam.
>
> I'm happy.  I'll say what (I think) EKR did: it's not a terrible idea.  It could work.
>
> Obviously, the tracking thing needs a bit more consideration, and the self-signed cert option (which sounds like a cool idea) will require server changes, but those are secondary problems.
>
> --Martin
>