> Signed cookies are useful > for all sorts of things - most importantly, they can be used in place > of sessions in many places, which improves performance (and overall > scalability) by removing the need to access a persistent session > backend on every hit. Set the user's username in a signed cookie and > you can display "Logged in as X" messages on every page without any > persistence layer calls at all.
I appreciate your signed cookie work. I downloaded the latest version with the intent of using it to implement cookie-based login. But in researching how to use signed cookies for login, I came across this technique used by drupal: http://jaspan.com/improved_persistent_login_cookie_best_practice (based on http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/ ) which just uses server-side state (and no encryption at all). So, there seem to be several alternatives. >From the pastiche.org article's premise 2, it seems that a signed cookie containing a user identifier is sufficient for cookie-based login. Very easy to implement with your signed cookie implementation. On the other hand, cookie-based login can be achieved with regular cookies and some server state. The later solution also allows identification of stolen cookies when the real user logs in and a mutating cookie which reduces a stolen cookie's lifetime. But this requires implementing their specs and lots of testing. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
