[whatwg] Cookie-based HTTP Authentication (draft-broyer-http-cookie-auth-00)

Thomas Broyer t.broyer at ltgt.net
Sun Jan 4 16:25:13 PST 2009

Hi all,

As I previously said, I spent some holiday time to put my thoughts
about "RFC2617-compliant cookie-based authentication" into an Internet
Today is my birthday (and the last day of my holidays) so I thought I
should do something special. I therefore submitted version 00 of my
work ("release early, release often" they said).

As written in the draft, discussion should go to the ietf-http-auth
list (if it happened to not be the appropriate list, please tell me so
I can fix it in the next version).

The Security Considerations section is not yet complete but for this
00 draft I though the overall authentication process was the most
important (have a look at the examples too).

Thanks in advance for your feedback.

(My intent is to publish some kind of "reference implementations" and
"proof of concepts" in various languages later in my mercurial
repository http://broyer.info/hg/http-cookie-auth/ but if you'd like
to contribute now, just send me your code!)

---------- Forwarded message ----------
From: IETF I-D Submission Tool <idsubmission at ietf.org>
Date: Mon, Jan 5, 2009 at 1:15 AM
Subject: New Version Notification for draft-broyer-http-cookie-auth-00
To: t.broyer at ltgt.net

A new version of I-D, draft-broyer-http-cookie-auth-00.txt has been
successfuly submitted by Thomas Broyer and posted to the IETF

Filename:        draft-broyer-http-cookie-auth
Revision:        00
Title:           Cookie-based HTTP Authentication
Creation_date:   2009-01-04
WG ID:           Independent Submission
Number_of_pages: 11

This document specifies an HTTP authentication scheme for use when
credentials are validated by an out-of-band mechanism (not defined
here) and later communicated to the server through the use of a
cookie.  Which out-of-band mechanism should be used, and how, is
described by the 401 (Unauthorized) response body.  It is common
practice that this mechanism is an HTML form, sending the user's
credentials with the use of an HTTP POST request to a tier URL which
will set a cookie in response; though this document doesn't preclude
the use of other mechanisms.

The IETF Secretariat.

Thomas Broyer

More information about the whatwg mailing list