Hello, Not long ago I published a paper which makes some observations about the state of security in web session management and proposes some small changes in browsers. Someone suggested I post it here for comments. See: http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
I'm currently most interested in feedback on the proposed change in 401 behavior vs the possible header addition for log outs. I realize the WHATWG may not mess with stuff at the HTTP level much, but I definitely welcome any comments. Regards, tim