Abstract
One of the most often talked about problems in web security is
"cookies". Web cookies are a method of associating requests with
"sessions" that may have been authenticated somehow. Cookies are a
form of bearer token that leave much to be desired. This document
proposes a session "continuation" protocol for HyperText Transport
Protocol (HTTP).
1. Introduction
The motivation for this protocol is described in
[I-D.williams-websec-session-continue-prob].
We define a protocol for cryptographic "session continuation" for
HyperText Transport Protocol (HTTP) [RFC2616]. Session continuation
is the act of binding an HTTP request to a "session". A "session"
consists of all the HTTP requests by a given user (possibly an
authenticated user, or possibly an anonymous user). This protocol is
a cryptographic protocol that aims to meet all the requirements given
in [I-D.williams-websec-session-continue-prob].
The protocol consists of:
o a request header carrying a keyed Message Authentication Code
(MAC) that proves possession of a shared session key (shared
between the user and the server);
o a response header advertising a default session scope to clients;
o a session identification in the form of a URI;
o an optional facility for server-side statelessness by storing
state on the client-side, encrypted in a secret key known to the
server;
o a request header for requesting the establishment of a session;
o a response header for indicating the establishment of a session,
and including a session URI and any optional state to be repeated
by the client.
read more.....http://tools.ietf.org/html/draft-williams-websec-session-continue-proto-00