[whatwg] Solving the login/logout problem in HTML

Asbjørn Ulsberg list at asbjorn.ulsberg.no
Thu Nov 27 10:50:32 PST 2008

On Wed, 26 Nov 2008 23:42:33 +0100, Calogero Alex Baldacchino <alex.baldacchino at email.it> wrote:

> Martin Atkins wrote:
>> Your auth token here seems to me to be equivalent to a session cookie.

Yes, it does. But since session cookies are just that: cookies -- it isn't. An authentication token is different from a session cookie in that it can be persistent, based on the user's preferences, it won't be blocked by default anywhere (once supported, that is) since it isn't using the same fragile technology used by advertisers to track users and wreck their privacy and it won't have any of the problems cookies have since it isn't a cookie.

> Perhaps that token was meant as a cross-session one, surviving untill an 
> explicit logout

Yes, among other things. Since we're inventing a new token here, we can place any semantics and functionality in it we want. Re-using cookies would take us exactly zero steps in the right direction. Cookies have their place, but authentication is theoretically imho not one of them. In practice, there's really no other alternative today.

Asbjørn Ulsberg         -=|=-          asbjorn at ulsberg.no
«He's a loathsome offensive brute, yet I can't look away»

More information about the whatwg mailing list