On 08/20/2013 04:11 AM, Matthias Wessendorf wrote:

hello,

going over the iOS JIRAs, I found this:

https://issues.jboss.org/browse/AGIOS-6

and wasn't really sure on 'why' this is needed. A bit more search made me find this Android ticket:

https://issues.jboss.org/browse/AGDROID-28

which has a bit more information.

However, I guess we should discuss if such a 'Cookie mgmt API' is really needed. For JS I couldn't find a similar ticket.

Any thoughts ?

Since it might be security season now with summer Push being over this is a great time to discuss cookies.

Right now cookies are only "officially" used by the AeroGear Authentication module. In theory that module can handle the cookie header on its own and keep us from having to implement a API/facade/proxy/EnterpriseBuzzwordPattern.

In practice some websites also set a cookie when you are using HTTP Basic or HTTP Digest authentication. By the (RFC) spec the way you handle logging out in this case is to stop sending the header the logout methods (on Android) only clear the local credentials. As a convenience these methods do wipe the local cookie store to make sure any session cookie is wiped out.

Beyond session/authorization state I havn't heard of webservices using cookies. (something something stateless). So I'm not sure if a cookie discussion beyond this scope matter.

-Matthias

--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev