Weaning the Web off of Session Cookies

Nytro · December 6, 2011

Weaning the Web off of Session Cookies

Making Digest Authentication Viable

Version 1.0

Timothy D. Morgan

January 26, 2010

Contents
Abstract...........................................................................................................................................................1
Introduction....................................................................................................................................................1
Cookie-based Session Management.............................................................................................................1
HTTP Digest Authentication.......................................................................................................................2
RFC 2069 Mode................................................................................................................................................................................2
auth Mode..........................................................................................................................................................................................2
auth-int Mode....................................................................................................................................................................................3
Comparison....................................................................................................................................................3
Pitfalls of Cookie-based Sessions..................................................................................................................................................3
Limitations of Digest Authentication...........................................................................................................................................5
Comparison Summary.....................................................................................................................................................................6
Possible Solutions...........................................................................................................................................8
Form-based HTTP Authentication...............................................................................................................................................8
Approaches for Logout...................................................................................................................................................................9
Practical Concerns.......................................................................................................................................11
Immature Digest Implementations.............................................................................................................................................11
Weak User Interfaces for HTTP Authentication....................................................................................................................11
Application Server Support.........................................................................................................................................................13
Conclusion....................................................................................................................................................14
Acknowledgements.....................................................................................................................................14
References.....................................................................................................................................................15

Download:

http://vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf

Sign In

Weaning the Web off of Session Cookies

Recommended Posts

Nytro

Join the conversation

Browse

Activity

Pages