[Authentication] cookie-handling in password storage?
Stef Walter
stef-list at memberwebs.com
Tue Aug 18 21:28:25 PDT 2009
Mark Peter Wege wrote:
> My suggestion is to add cookie handling to the jobs for the password storage.
> I know that cookies are not passwords, but they affect security and privacy in
> a similar way as passwords and it would be really good to have a common
> solution for that too.
> - Cookies are often used for authentication; In that sense it would be really
> useful to look them away in a secure framework too.
Yes, for sure. The spec as it is, can certainly be used for cookie
handling. I agree that cookies are definitely security tokens in many
cases.
Because of the fact that they're security tokens, it makes an incredible
amount of sense to have them shared between browsers, so that you can
log in somewhere, and some library or another browser can use that
logged in status.
One of the things I'm going to bring up on the list, shortly is about
collections with their lifetime limited, and never stored to disk. This
makes sense in the case of a cookie storage as well.
I imagine in conjuction with browsers we'd want to decide on sort of a
'schema' for storage of browser secrets. This has been brought once or
twice on the list. I'm not the one to do it, since I don't have that
much experience in that arena.
Of course the big obstacle here is not whether it could be done, it's
the buy in from the browsers.
> Hope you do not mind, that I joined, even though I do not have a technical
> background.
Yes please do. We need contribution from all angles.
Cheers,
Stef
More information about the Authentication
mailing list