On Fri, Jun 10, 2011 at 11:36 AM, Robert Sayre <[email protected]> wrote: > On Fri, Jun 10, 2011 at 10:51 AM, Adam Barth <[email protected]> wrote: >> On Fri, Jun 10, 2011 at 10:42 AM, Robert Sayre <[email protected]> wrote: >>> Let's call my proposed addition the "opaque" parameter. The client >>> sends it back unchanged, just like the id. >> >> That already exists in the scheme. It's just the value of the cookie. >> >>> This is just one use of an opaque field that servers might want to >>> try. I suppose this data could get stuffed into the SID too. Is that >>> the idea? >> >> Yep. > > OK, this is all much clearer. Could the draft include these > explanations and examples? It seems like the draft is obfuscated right > now. Why not just plainly state something similar to > > "This mechanism really just adds a little more security to session cookies." > > in the introduction? I hope it isn't because of HTTP religion or > something like that.
Sounds like a good idea. Adam _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
