On Fri, Jun 10, 2011 at 11:36 AM, Robert Sayre <say...@gmail.com> wrote: > On Fri, Jun 10, 2011 at 10:51 AM, Adam Barth <i...@adambarth.com> wrote: >> On Fri, Jun 10, 2011 at 10:42 AM, Robert Sayre <say...@gmail.com> wrote: >>> Let's call my proposed addition the "opaque" parameter. The client >>> sends it back unchanged, just like the id. >> >> That already exists in the scheme. It's just the value of the cookie. >> >>> This is just one use of an opaque field that servers might want to >>> try. I suppose this data could get stuffed into the SID too. Is that >>> the idea? >> >> Yep. > > OK, this is all much clearer. Could the draft include these > explanations and examples? It seems like the draft is obfuscated right > now. Why not just plainly state something similar to > > "This mechanism really just adds a little more security to session cookies." > > in the introduction? I hope it isn't because of HTTP religion or > something like that.
Sounds like a good idea. Adam _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
