LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Should web developers say no to cookie-based authentication?

Should web developers say no to cookie-based authentication?

Posted Mar 25, 2010 20:31 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
Parent article: Should web developers say no to cookie-based authentication?

WTF?

Cookies are just a way to store session-id. I'd understand if the author wanted to define a special session-tracking API (in essence, adding state to HTTP) with protection against cross-site scripting, etc.

But this crap? No way.

How can I use OpenID with digest authentication? How do I use GSSAPI (Kerberos or SMKP)?

Use single responsibility principle and split the spec into session-tracking stuff and use digest authentication as one way to provide session identifiers.

(Log in to post comments)

Should web developers say no to cookie-based authentication?

Posted Mar 26, 2010 21:19 UTC (Fri) by jo42 (subscriber, #59640) [Link]

Are you looking for the kerberos or OpenID authentification module of Apache and instructions like these: http://www.google.com/search?ie=UTF8&q=firefox%20kerb...

Should web developers say no to cookie-based authentication?

Posted Mar 26, 2010 21:20 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

No. I'm talking about impossibility of using digest authentication and Kerberos/OpenID.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds