On Sun, Jan 31, 2010 at 4:50 PM, Chris Hills <[email protected]> wrote: > On 31/01/2010 18:12, Timothy D. Morgan wrote: >> That's handy, but doesn't that mean the website you're accessing will >> still use cookies once you're authenticated? > > Yes it does :/ But I think it's easier to get sites to implement OpenID > then it is to support HTTP Auth with certificates. Do you think it is > possible to use OpenID without cookies?
I suspect it's difficult to use OpenID without cookies in today's browsers. The challenge is you need some way to bind the session to the user's browser. It might be interesting to think about ways that browsers could make OpenID (or an OpenID-like federated identity system) more awesome. Tim, I need to read your paper in more detail, but could you summarize what problem you're trying to solve by avoiding cookies? Adam _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
