[nycphp-talk] AJAX and State
Daniel Convissor
danielc at analysisandsolutions.com
Sat Sep 22 10:19:42 EDT 2007
Hi Elliotte:
On Sat, Sep 22, 2007 at 08:19:01AM -0400, Elliotte Harold wrote:
>
> For basic I'd use encrypted connections only. Digest is fine in the
> "clear".
No HTTP auth method is okay in the clear. Digest sends an MD5 hash as
the token. While that doesn't tell me what your password is, unless I
figure it out via a reverse lookup database, I can just forge my request
headers to include the hash itself.
> >Plus I don't like the idea of keeping
> >authentication information in the browser.
>
> Tough. That's being done anyway.
Depends on what the user's settings are.
> >How is using a session id cookie "working against" the design of HTTP?
>
> Because HTTP is explicitly designed to be stateless and sessionless.
> See, for example, Sam Ruby's RESTful Web Services.
Passing your user name and password on each request is no different than
passing a session ID on each request. They both indicate who you are.
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list