[whatwg] Weaning the Web off of Session Cookies

Timothy D. Morgan tmorgan at vsecurity.com
Fri Feb 5 10:41:31 PST 2010


Hello,

Not long ago I published a paper which makes some observations about
the state of security in web session management and proposes some
small changes in browsers.  Someone suggested I post it here for
comments. See:
  http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf

I'm currently most interested in feedback on the proposed change in
401 behavior vs the possible header addition for log outs.  I realize
the WHATWG may not mess with stuff at the HTTP level much, but I
definitely welcome any comments.

Regards,
tim


More information about the whatwg mailing list