mailing list archives
Re: [Webappsec] Paper: Weaning the Web off of Session Cookies
From: "Timothy D. Morgan" <tmorgan () vsecurity com>
Date: Fri, 5 Feb 2010 08:06:09 -0800
Sorry for the slow reply. I'm overseas right now and it's tough to
keep up with email.
I think this thread might be about dead, but I will respond to a few
All good ideas, but I believe stillborn at this point. You would get
far more mileage IMO out of promoting "HTTP 2.0" and issuing in a
separate data and control channel for the browser, and then look at
something like this for dynamic auth tokens, combined with data
structure nonces as well. Kill two birds with one stone. Folks that
want strong dynamic auth are probably largely the same folks who want
strong data structures enforced.
Far too often security initiatives fail to gain any momentum because
they bite of far more than they can chew. I'd love to redesign digest
authentication, for instance, or push for good browser support of some
truly safe HTTP authentication protocols, but that would be much more
likely to fail. I see this as a relatively easy fix to open up a new
option in web app development.
As more and more app development moves to hardware platforms
(iAppleStuffs) and social media aka Ad-metadata networks (Facebook,
Google *.google.com apps, webmail, etc.) cookies are an easy and
transparent way to fly, that work now, all the time, and have clear
business drivers behind them for auth tracking (and working now, all
I never said cookies should go away. I merely want cookies to stop
being used for managing authenticated sessions in most applications.
Some applications may still require that flexibility, however, and for
those they can be more carefully audited.
The majority of internet users use modern apps where auth = "identity
tracking and sharing", and statistics support this.
These same users will readily glue their private, regulated, banking
apps together with Farmville in some mad web 2.0 gadget-ridden mashup,
that is cross-domain shared and scripted by default. Which is one area
Well, sure, they do currently rule. There's no reason HTTP
authentication can't be used to authenticate a cross-origin unified
I'm going to drop out of this thread as we are at a point where we
disagree on premise, and possibly ideology.
I'm fine to agree on disagreeing as well.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/