On Fri, Jun 10, 2011 at 10:42 AM, Robert Sayre <say...@gmail.com> wrote: > Let's call my proposed addition the "opaque" parameter. The client > sends it back unchanged, just like the id.
That already exists in the scheme. It's just the value of the cookie. > This is just one use of an opaque field that servers might want to > try. I suppose this data could get stuffed into the SID too. Is that > the idea? Yep. In talking with folks who run large web sites, they already have a session identifier cookie that contains most of the information you'd want to encode in this opaque value. For example, most sites include an "issue date" in their session identifiers so they can discard old values. One possibility is to include the value of the Cookie header in the MAC. Then sites could use Set-Cookie to change a server-side nonce, if they wanted. So far there's hasn't been much demand for that feature from server operators I've talked with. Adam _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
