Re: [Webappsec] Paper: Weaning the Web off of Session Cookies

From: Timothy D. Morgan <>
To: Arian J. Evans <>
Cc:,Full-Disclosure <>,
Subject: Re: [Webappsec] Paper: Weaning the Web off of Session Cookies


Sorry for the slow reply.  I'm overseas right now and it's tough to
keep up with email.

I think this thread might be about dead, but I will respond to a few

> All good ideas, but I believe stillborn at this point. You would get
> far more mileage IMO out of promoting "HTTP 2.0" and issuing in a
> separate data and control channel for the browser, and then look at
> something like this for dynamic auth tokens, combined with data
> structure nonces as well. Kill two birds with one stone. Folks that
> want strong dynamic auth are probably largely the same folks who want
> strong data structures enforced.

Far too often security initiatives fail to gain any momentum because
they bite of far more than they can chew.  I'd love to redesign digest
authentication, for instance, or push for good browser support of some
truly safe HTTP authentication protocols, but that would be much more
likely to fail.  I see this as a relatively easy fix to open up a new
option in web app development.

> As more and more app development moves to hardware platforms
> (iAppleStuffs) and social media aka Ad-metadata networks (Facebook,
> Google * apps, webmail, etc.) cookies are an easy and
> transparent way to fly, that work now, all the time, and have clear
> business drivers behind them for auth tracking (and working now, all
> the time).
> Many modern web 2.0 products use cookies for auth = tracking, not auth
> = confidentiality.

I never said cookies should go away.  I merely want cookies to stop
being used for managing authenticated sessions in most applications.
Some applications may still require that flexibility, however, and for
those they can be more carefully audited.

> The majority of internet users use modern apps where auth = "identity
> tracking and sharing", and statistics support this.
> These same users will readily glue their private, regulated,  banking
> apps together with Farmville in some mad web 2.0 gadget-ridden mashup,
> that is cross-domain shared and scripted by default. Which is one area
> cookies rule.

Well, sure, they do currently rule.  There's no reason HTTP
authentication can't be used to authenticate a cross-origin unified

> I'm going to drop out of this thread as we are at a point where we
> disagree on premise, and possibly ideology.

I'm fine to agree on disagreeing as well.


Copyright © 1995-2020 All rights reserved.