On 08/20/2013 04:11 AM, Matthias Wessendorf wrote:
hello,
going over the iOS JIRAs, I found this:
https://issues.jboss.org/browse/AGIOS-6
and wasn't really sure on 'why' this is needed. A bit more search made
me find this Android ticket:
https://issues.jboss.org/browse/AGDROID-28
which has a bit more information.
However, I guess we should discuss if such a 'Cookie mgmt API' is
really needed. For JS I couldn't find a similar ticket.
Any thoughts ?
Since it might be security season now with summer Push being over
this
is a great time to discuss cookies.
Right now cookies are only "officially" used by the AeroGear
Authentication module. In theory that module can handle the cookie
header on its own and keep us from having to implement a
API/facade/proxy/EnterpriseBuzzwordPattern.
In practice some websites also set a cookie when you are using HTTP
Basic or HTTP Digest authentication. By the (RFC) spec the way you
handle logging out in this case is to stop sending the header the logout
methods (on Android) only clear the local credentials. As a convenience
these methods do wipe the local cookie store to make sure any session
cookie is wiped out.
Beyond session/authorization state I havn't heard of webservices using
cookies. (something something stateless). So I'm not sure if a cookie
discussion beyond this scope matter.
-Matthias
--
Matthias Wessendorf
blog:
http://matthiaswessendorf.wordpress.com/
sessions:
http://www.slideshare.net/mwessendorf
twitter:
http://twitter.com/mwessendorf
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev