>>>>> "Jeffrey" == Jeffrey W Baker <[EMAIL PROTECTED]> writes:
Jeffrey> Randal, how do you suppose that HTTP basic auth works? The
Jeffrey> user agent stores the username and password and transmits
Jeffrey> them to the server on every request.
The difference between a cookie and a basic-auth password is that for
a basic-auth, *I* am carrying the credential (the user/password), and
the browser is merely caching it, and I have some control over that.
A cookie is its own credential and therefore non-portable. Until
someone invents a "cookie wallet" that I can plug into each browser
I'm using at the moment, cookies for long-term auth are truly
unusable.
Jeffrey> This is exactly identical to a cookie which is set to have a
Jeffrey> short expiration time. That's why I say replacing basic auth
Jeffrey> with cookies is acceptable: both of them are a totally
Jeffrey> inadequate way to authenticate users.
Yes, and I agree with you. For *short term* auth, cookies are OK.
But I've seen too many apps out there that use cookies for unique ID
for long term. Wrong. Broken. Busted. Basic-auth would be way
better, although still not ideal.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
