Client development for HTTP Negotiate
Russ Allbery
rra at stanford.edu
Thu Feb 28 12:30:13 EST 2013
Nico Williams <nico at cryptonector.com> writes:
> You basically have to initialize a new security context for every HTTP
> request. This sucks. You can avoid this only by creating a "session".
> Traditionally that means "use cookies". Or you could implement one of
> several proposals for "session continuation" based on session IDs and
> per-request/response MACs binding requests/responses to sessions.
The pain here is inherent in the HTTP security model or, rather, lack
thereof. Almost every other widely-used protocol has some inherent way of
establishing a persistent security context that is used for subsequent
protocol commands. HTTP doesn't; you essentially have to repeat yourself
with every request because it was designed to be stateless. This applies
to all HTTP security mechanisms; it's just that most of the widely used
ones don't care about context.
I was very sad when I heard about SPDY, looked at the protocol briefly,
and discovered that it apparently doesn't fix this. Hopefully I'm just
missing something.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list