From: Ryan M. <rpm...@st...> - 2001-11-15 17:47:25
|
I'm aware that cookies are an HTTP extension, but so is WebDAV. They are simply extensions that increase the utility of HTTP itself. While I would agree with you that using cookies for authentication is not the ideal mechanism, I wouldn't classify it as a hack. It is dealing with reality. Developing a intra-institutional centralized authentication mechanism makes users' and administrators' lives simpler. It is more secure than replicating authentication information/mechanisms across each application or service, or having each application developer design his or her own way of doing it. As I'm sure that you can realize, this would be a very bad, insecure approach. So, as PKI is not really that feasible yet to deploy on any given campus, we need to use cookies. If it makes you more comfortable, we can also use GET data. But we do need redirection support. I am very pleased that you are concerned about security, but I would ask you to consider what is actually more secure, avoiding cookies and forcing people that use your software to implement ugly authN hacks on the server side, or take some time, support cookies well, and have a more elegant authN solution for the local network. I would be happy to hear your thoughts on how to solve this problem well. Internet2/MACE's web-iso project is quickly closing in on a standard. So if you know of how we can do things better and more securely (that doesn't require anything other of the user than commodity software like a browser), we would love to hear about it. Essentially, my goal is to be able to make the case for wide usage of your software. The tier 1 and 2 research institutions are the primary participants in I2. We help to guide the way for smaller schools that have less money to spend on IT Architecture research. My side project right now is to make the case for converting to WebDAV for enterprise filesharing. Being able to use davFS as part of this scheme would be rather useful. If it is not in line with what your development goals are, I can respect that, and solve the problem in another way or with other software. Hopefully you can see the potential of getting this support in your software. But if not, that's your perogative. ;-) --Ryan On Wed, 2001-11-14 at 02:20, Joe Orton wrote: > > On 10 Nov 2001, Ryan Muldoon wrote: > > > > > I am rather interested in webDAV, and davfs looks like a really cool > > > project. I admit, I just discovered it about five minutes ago, but I > > > have a quick question/request. One of the big problems with most DAV > > > clients right now is that they don't fully support HTTP. > > Cookies are an HTTP *extension*, they are not a part of the HTTP > specitication itself. Using cookies for authentication is a hack; there > is no need for a DAV client to support cookies to be interoperable. (in > fact since implementing cookie support badly in a client can lead to > security problems, I would hope most DAV clients don't naively implement > cookies "just in case"). > > Regards, > > joe |