[nycphp-talk] AJAX and State
Elliotte Harold
elharo at metalab.unc.edu
Fri Sep 7 07:40:50 EDT 2007
Kenneth Downs wrote:
> Should I email you a link allowing you to log into my customer's
> application and view confidential medical information?
>
>
User authentication is (usually) separate from the URL. You can e-mail
me such a link if you wish, but without the username and password I
wouldn't get in.
Nonetheless, the username and password should be transmitted with each
request (in the HTTP header, not the URL) so that it doesn't matter
whether I've switched browsers, rebooted my machine, or told my office
manager to login under my name on her PC.
The resource is identified by a URL and nothing but a URL. Whether I am
allowed to load that URL is a separate issue.
This is one point a lot of otherwise RESTful services like Amazon's E3
get wrong. My mailbox should have a URL like
https://mail.google.com/mail/erharold and yours should have a URL like
https://mail.google.com/mail/kdowns. Nonetheless, merely knowing the URL
would not be sufficient to log either of us in to either mailbox.
--
Elliotte Rusty Harold elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
More information about the talk
mailing list