[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AD Evaluation of draft-ietf-atompub-protocol-11

To: atom-protocol Protocol <atom-protocol@xxxxxxx>
Subject: Re: AD Evaluation of draft-ietf-atompub-protocol-11
From: Elliotte Harold <elharo@xxxxxxxxxxxxxxx>
Date: Wed, 18 Oct 2006 16:11:54 -0400
In-reply-to: <8BD53B7C-5B43-4F2D-8DC5-0281CCB84B84@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/atom-protocol/mail-archive/>
List-id: <atom-protocol.imc.org>
List-unsubscribe: <mailto:atom-protocol-request@imc.org?body=unsubscribe>
References: <8BD53B7C-5B43-4F2D-8DC5-0281CCB84B84@xxxxxxxxxxxx>
Sender: owner-atom-protocol@xxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.7 (Macintosh/20060909)


Lisa Dusseault wrote:

Cookie support, sessions, authentication
Is there an assumption that clients MUST support cookies?


No, there is no such assumption.

There may be an assumption that the server will not require this ofclients. In fact, I would argue that a server which does require cookiesis seriously broken. Perhaps that should be spelled out.

without sucha requirement explicitly stated, some clients won't, for reasonablesecurity concerns. Instead, is there an assumption that clients MUSTrepeat authentication headers with each request? Or will serverseffectively end up constantly "reminding" clients (through 401 errors)to authenticate?


The former. This is standard HTTP practice.

This might seem obvious but it definitely differs fromregular HTTP practice where clients authenticate once and then stopsending authentication information automatically and it just worksbecause of cookies.

That's not standard HTTP practice at all. That's an ugly hack thatcompletely bypasses HTTP authentication.

Also we'd experienced this as an interoperabilityproblem in WebDAV interoperability tests where some server implementorsinsisted that certain WebDAV clients were completely broken in notsupporting cookies.

That's because WebDAV violates the HTTP architecture six ways to Sunday,and tries to pretend the Web is just a funny kind of LAN. By contrastAPP is being designed in accordance with the design of HTTP rather inactive conflict with it. Assuming we can educate developers about whatthis means, there shouldn't be the sort of Broken-by-design problemsWebDAV encounters.

Hmm, that's actually a pretty big assumption. I suspect there will beproblems; but at least they should be able to be cured short of changingthe spec. I don't think we should turn the APP spec into an HTTPtutorial, even if such a document is sorely needed. (It might not hurtto publish one separately though, maybe as an informational RFC?)

Are there assumptions that sessions will be maintained throughpersistent connections? I believe there should be none. That is, ifyou're a client implementor thinking that the first request will containauthorization and subsequent requests on the same connection have noauthorization, think again.

APP is based on HTTP and REST. In accordance with this architecture,there are no sessions to maintain. Worrying about session maintenance inAPP makes about as much sense as worrying about trimming the jibs on theAutobahn.


--
Elliotte Rusty Harold  elharo@xxxxxxxxxxxxxxx
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/

Follow-Ups:
- Re: AD Evaluation of draft-ietf-atompub-protocol-11
  - From: Julian Reschke
- Re: AD Evaluation of draft-ietf-atompub-protocol-11
  - From: Robert Sayre

References:
- AD Evaluation of draft-ietf-atompub-protocol-11
  - From: Lisa Dusseault

Prev by Date: Re: AD Evaluation of draft-ietf-atompub-protocol-11
Next by Date: Re: AD Evaluation of draft-ietf-atompub-protocol-11
Previous by thread: Re: AD Evaluation -- updated?
Next by thread: Re: AD Evaluation of draft-ietf-atompub-protocol-11
Index(es):
- Date
- Thread