Re: WWW-Authenticate proposal: timeout flag
Rafal Pietrak <cookie.rp@ztk-rp.eu> Fri, 30 April 2021 11:36 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 317823A11E0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 30 Apr 2021 04:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.472
X-Spam-Level:
X-Spam-Status: No, score=-7.472 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=ztk-rp.eu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3IUq6UuUJ2Q for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 30 Apr 2021 04:36:39 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12B633A11DE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 30 Apr 2021 04:36:38 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1lcROl-0000bS-1K for ietf-http-wg-dist@listhub.w3.org; Fri, 30 Apr 2021 11:33:31 +0000
Resent-Date: Fri, 30 Apr 2021 11:33:31 +0000
Resent-Message-Id: <E1lcROl-0000bS-1K@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <cookie.rp@ztk-rp.eu>) id 1lcROj-0000ah-53 for ietf-http-wg@listhub.w3.org; Fri, 30 Apr 2021 11:33:29 +0000
Received: from hax2-04.wsisiz.edu.pl ([213.135.44.188] helo=zorro.ztk-rp.eu) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <cookie.rp@ztk-rp.eu>) id 1lcROg-0005VC-VH for ietf-http-wg@w3.org; Fri, 30 Apr 2021 11:33:28 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ztk-rp.eu; s=2024; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:From:References:To:Sender:Reply-To:Cc:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=bO46+AL0XCjeqoIehuxVdbPMXzIznxBJ9qeYGWAo/HE=; b=eRTfLzeMbYrFwYRqc7bMxE/BQW XpsBG0f1CHtkh6AyRI0xuU0CqSbLJYMLDepJlvvluj9kBcEpxemzuWj42ye3YnRpYPrXJ06lvAIyC tefRV+Et1G1lKJJVUKFBegAeeDBizl8h3tbkbAAFkrYst3jUvKPvnwRt4xxMyTEbzQUM=;
Received: from ip-193-239-82-147.merinet.pl ([193.239.82.147]:49326 helo=[192.168.1.52]) by zorro.ztk-rp.eu with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94) (envelope-from <cookie.rp@ztk-rp.eu>) id 1lcRON-0026zg-9f for ietf-http-wg@w3.org; Fri, 30 Apr 2021 13:33:10 +0200
To: ietf-http-wg@w3.org
References: <11cedf9c-add4-d38c-8761-2ad4498caa47@gmail.com> <nycvar.QRO.7.76.2104292237510.30150@fvyyl> <e1f38a82-fc43-f420-63fa-68604721d536@gmail.com>
From: Rafal Pietrak <cookie.rp@ztk-rp.eu>
Message-ID: <b49b4943-0e12-b219-46b7-9988b3d3311f@ztk-rp.eu>
Date: Fri, 30 Apr 2021 13:33:06 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <e1f38a82-fc43-f420-63fa-68604721d536@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 193.239.82.147
X-SA-Exim-Mail-From: cookie.rp@ztk-rp.eu
X-SA-Exim-Version: 4.2.1 (built Sat, 13 Feb 2021 17:57:42 +0000)
X-SA-Exim-Scanned: Yes (on zorro.ztk-rp.eu)
Received-SPF: pass client-ip=213.135.44.188; envelope-from=cookie.rp@ztk-rp.eu; helo=zorro.ztk-rp.eu
X-W3C-Hub-DKIM-Status: validation passed: (address=cookie.rp@ztk-rp.eu domain=ztk-rp.eu), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1lcROg-0005VC-VH 326e138c1b342c92fe69c4ec93d7df0c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: WWW-Authenticate proposal: timeout flag
Archived-At: <https://www.w3.org/mid/b49b4943-0e12-b219-46b7-9988b3d3311f@ztk-rp.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38769
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi everyone, W dniu 29.04.2021 o 22:50, Soni L. pisze: > > > On 2021-04-29 5:42 p.m., Daniel Stenberg wrote: >> On Thu, 29 Apr 2021, Soni L. wrote: >> >>> We'd like to be able to specify a timeout value for WWW-Authenticate, >>> in particular `timeout=0` so the HTTP authentication can be converted >>> into session cookies rather than sending the password in plaintext >>> (sure, it gets sent over TLS, but that doesn't matter) on every >>> request. Would anyone be interested in such proposal? >> >> What should happen when the time runs out? Is that just an ask to the >> client that it should drop the auth status at that point? >> >> I don't think this is enough to make people stop using cookies for >> logged in session status even if you would get someone to adopt. >> > > It's to stop using forms, not cookies. Cookies are more secure because > they don't keep re-sending the password such that a malicious or > compromised server could exfiltrate the plaintext. Using cookies for > logged in session status is a good thing. > Still, cookies have their problems. Would somebody be so kind and have a look at my proposal regarding cookies at: https://datatracker.ietf.org/doc/draft-pietrak-cookie-scope/ ... and naturally give it a comment or two :) Best regards, -R -- Rafał Pietrak
- WWW-Authenticate proposal: timeout flag Soni L.
- Re: WWW-Authenticate proposal: timeout flag Daniel Stenberg
- Re: WWW-Authenticate proposal: timeout flag Soni L.
- Re: WWW-Authenticate proposal: timeout flag Rafal Pietrak
- Re: WWW-Authenticate proposal: timeout flag Daniel Veditz
- Re: WWW-Authenticate proposal: timeout flag Rafal Pietrak
- Re: WWW-Authenticate proposal: timeout flag Rafal Pietrak
- Re: WWW-Authenticate proposal: timeout flag Rafal Pietrak