Should web developers say no to cookie-based authentication?

I dont buy the "more secure" line. Digest authentication has lots of drastic problems including password equivalent data on the server. The bad design of the flawed cookies systems is the problem and *not* the use of cookies.

Cookies, and usually java, can be used to implement security which is *much more secure* than digest authentication. Session hijacking, cookies as sent over the wire and any previous values can all be easily rendered useless.

Taking a leaf out of secure RPC's book and using storing a public key and encrypted private key on the server requires the use of cookies. If you want to use SRP the deal is the same: you must use cookies. Either way implementing the flaws described is less probable than SQL injection attacks via evil cookie values.

If the application is LWN then security it is not critical: the marginal cost of shipping a few unfunded bits is presumably minimal. It is enough for a reasonable majority of people to pay.

Duncan
P.S. You can implement digest logout now by always returning 401 if a cookie is not present, even if the credentials are valid. The logout button just deletes the cookie. You can include the cookie in the 401 response. I know this works in IE, firefox, opera and chrome.

A real browser "forget my credentials for this website" button would be much batter and more secure but I am fairly sure it will not be implemented within the next 3 years.