From the “hills I’m willing to die on” department: Cookies are 100% evil, they should never have been added to the web platform, and the world would be a better place if the HTTP auth mechanism had been continuously extended and improved instead

May 9, 2020 · 11:01 AM UTC

7
15
2
86
Replying to @stilkov
Write a good RFC and change it!
1
1
If that were the missing aspect, I’m quite sure someone would have done it. But by now way too much of the web economy relies on the bad decisions made two decades ago
3
Replying to @stilkov @elharo
How would one implement state management for unauthenticated sessions, such as shopping carts? Sessions as url parameters didn't work well.
1
1
Give each shopping cart its own URL
1
2
Replying to @stilkov
I am curious, how could a solution work, that is neither using cookies or things like Bearer tokens? That is an honest question, because I understand that both solutions we currently have are problematic.
1
Whatever auth info is currently sent as part of a cookie could (and should) have been standardized as an auth mechanism instead. This would of course require browser vendor support, which is why it will never happen except in an alternate reality
1
Replying to @stilkov
Are you aware of some RFC or articles where soeone tackled this in a broader scope? The replies to this tweet are just a random collection of problems but I'd like to get an idea of how an alternative might look like.
1
Replying to @stilkov
Cookies != Auth
Replying to @stilkov
Maybe, but no one knew what’s coming. The web grew organically, there were several attempts to standartize it and all of them achieved partial results (thanks god and for obvious reasons)