[nycphp-talk] AJAX and State
Elliotte Harold
elharo at metalab.unc.edu
Wed Sep 19 05:41:21 EDT 2007
Kenneth Downs wrote:
> That can only be done if the password is stored on the browser between
> requests. No thanks!
I don't know about your browser but mine (and those of most of the
people I know) store lots of passwords pretty much all the time. I
prefer to trust Firefox's encryption and security to my ability to
remember umpteen different passwords.
> At any rate, in principle I believe that sessions are a bad way to do
> things, they just have that bag-on-the-side feel. The only permanent
> use of a session in Andromeda is to store user information, notably
> user_id and password. I do this only because I am not aware of a secure
> session-less alternative. Any ideas are welcome.
The key idea is that all authentication data is transmitted with each
request, not merely a session token. There may well be ways to make that
authentication data something other than a username and password.
You may wish to explore what Amazon E3 does. They have some sort of
unique private-key/public key encryption scheme that might suit you.
Google GData also has some sort of strange, custom authentication scheme
though I haven't explored it in detail.
--
Elliotte Rusty Harold elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
More information about the talk
mailing list