[whatwg] Weaning the Web off of Session Cookies
Timothy D. Morgan
tmorgan at vsecurity.com
Fri Feb 5 10:41:31 PST 2010
Hello,
Not long ago I published a paper which makes some observations about
the state of security in web session management and proposes some
small changes in browsers. Someone suggested I post it here for
comments. See:
http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
I'm currently most interested in feedback on the proposed change in
401 behavior vs the possible header addition for log outs. I realize
the WHATWG may not mess with stuff at the HTTP level much, but I
definitely welcome any comments.
Regards,
tim
More information about the whatwg
mailing list