On Thu, 21 Feb 2008, Jonas Sicking wrote: > > [with cookies] One concern we found was that it makes it very easy for a > site to accidentally grant access to a users personal data without > realizing this is done without the users consent. I.e. the worry is that > server administrators will think that just because a request includes a > users cookies, that the user has authorized the request. To use the > examples above: [...] > > [without cookies] This both exposes the user to a greater risk since the > requesting site is actually given the credential, and also risks > creating a culture where people give out their passwords to other sites. > > [prompting user]
Prompting the user here should be right out, IMHO. Users would not be able to make informed decisions. In my opinion, the problem described as [without cookies] above is many orders of magnitude worse than the theoretical problem described under [with cookies]. In addition, the risk given above under [with cookies] is present even without cookies, it just migrates to whatever other authentication mechanism is used. I think ironically that not sending cookies is therefore by far the least secure option we are faced with here. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
