[FoRK] DNT: another example of "you can't make this shit up"

Stephen Williams sdw at lig.net
Mon Oct 15 10:40:34 PDT 2012


On 10/15/12 10:25 AM, Damien Morton wrote:
> On Thu, Oct 11, 2012 at 5:41 PM, Stephen D. Williams <sdw at lig.net> wrote:
>
>> We need something like cookies, at least some of the time.
>
> Oh yeah - when do "we" need cookies?
>
> What does a user do with a cookie? Nothing, they don't even see them.
>
> If you have a way of presenting something like a BrowserID - a crypto
> mashup of username/password/domain - any state can be stored server-side

Which can be implemented trivially with the cookie protocol syntax. Simply start adding it to browsers.  For the server side, 
you could retrofit existing applications with a reverse proxy.  The proxy could translate a BrowserID, when present, to locally 
stored cookies.

Cookies are needed when the browser is in anonymous mode, even though cookies quickly lose real anonymity.
The main use of cookies is for a session key inside TLS-protected web apps.  A BrowserID, as you described it, is not sufficient 
to replace a session key: The session key has to be unique to the session.

What about authentication stronger than username/password?  How would a token- or PKI-authenticated session work?

Besides not leaving quite as much local information in browser local databases, and perhaps being nicer for cross-browser / 
computer context continuity, what do you see as the benefits of BrowserID vs. cookies?  They seem equivalent for many purposes.

sdw



More information about the FoRK mailing list