Re: Cookie Question
Ari Luotonen (luotonen@netscape.com)
Fri, 14 Feb 1997 12:57:39 -0800 (PST)
> Could one or both of you explain what it would be used for?
> It would help the rest of us support such a proposal.
> Just asserting it would be useful doesn't help us (as a working
> group) understand (or understand what problems it would present
> that have to be thought about).
I'll list some off the top of my head:
o one-time password/securID type authentication where a cookie is
issued and considered as valid credentials for a certain period of
time and then expired
o other access control data, e.g. ACL's
o being able to track usage patterns without forcing user
authentication
o being able to customize the view through the proxy
o maintaining client state on proxy side that useful and necessary,
e.g.
o to guarantee that a Java originated connection gets to the
same IP address as the Java applet was loaded from (to
avoid the DNS spoofing attack)
o to guarantee the same proxy route to the origin server, to
avoid problems where sites would associate a client cookie
with the incoming IP address, and with multiple different
proxy routes end up in a situation where client's cookie is
considered invalid by the origin server because it came
through a different proxy route (different source IP
address)
The two last subitems I don't mind if HTTP WG proposes some other
mechanism to deal with them; however, if we go with Proxy-cookies
(which I fully support), this would be a possible solution.
Cheers,
--
Ari Luotonen * * * Opinions my own, not Netscape's * * *
Netscape Communications Corp. ari@netscape.com
501 East Middlefield Road http://home.netscape.com/people/ari/
Mountain View, CA 94043, USA Netscape Proxy Server Development