Re: [Webappsec] Paper: Weaning the Web off of Session Cookies

["Timothy D. Morgan" <tmorgan () vsecurity com>]

Hi Arian,

> Good points James. I read this paper a few times to make sure I got
> the point, and it's a cute idea but I just don't see it happening.

Pessimism is understandable; I don't fault you for that.

> For multi-node, multi-app, websites sharing auth/state/preferences
> across multiple web assets (physical servers and logical "websites")
> this is pretty much a non-starter. Cookies rule here. For a dozen
> different reasons that I can think of.

Well, I'm sure you read this, but digest auth can do SSO to, arguably
better.  Whatever wrappers frameworks put around cookies, which are a
very simple primitive, can be wrapped around digest auth too.

> Always good to try and raise the bar, but the world has voted cookies
> (thanks Lou!) and I think they are here to stay for at least the next
> decade.

Definitely, they aren't going away, but we should start phasing them
out of authentication.  What the replacement is may be up in the air,
but the bottom line is: Cookies were a terrible idea for
authentication when they were first introduced and they are still a
bad idea.  We've been hit over the head with this for years.

> Oh, yeah, and marketing rules the world, and web sales and marketing
> (and Google) LOVE cookies. So that is what it is and I really don't
> see that changing until they can inject a tracking device into your
> body.

As the paper points out, these business drivers act against making
cookie primitives more usable for session management.

Thanks for taking the time to read it,
tim