On Sun, 10 Oct 1999, Jeffrey W. Baker wrote:
...snip...
> In my opinion storing anything besides a session key on the client side is
> needless extra work. Just give the client a token, in the cookie or in the URL,
> and make sure the client sends that token back on every request. Store the
> expriration time, the user name, and other information about the session on the
> server. Check and update this information on every request. Make the client
> reauthenticate after a short period of inactivity (15 minutes, perhaps), and
> give the user a way to logout or otherwise destroy their session (in case they
> are on a public terminal).
...snip...
If anyone is interested, I've got a somewhat hacked version of
Apache::AuthCookie.pm that allows the browser to store information either
as a cookie OR using standard HTTP authentication. This doesn't win you
anything in terms of security of course, but it at least allows the stuff
to work even with clients that refuse all cookies. The code is a bit
crufty at this point, but I'd be happy to clean it up and publish it if
anyone would like to use it.
-Rob
