> What? The EU is going to make cookies *illegal*? I highly doubt > this.
Sorry, I am neither the lawyer nor the client, so I can't tell you... I know it's really stupid, but I am going to have to deal without cookies. > Jean-Michel> * For usability reasons encoding session IDs on URIs would be really > Jean-Michel> bad... users needs to be able to 'hack' the URIs without f***ing their > Jean-Michel> sessions! > > Why is a user "hacking" their URLs? I can answer that. http://www.useit.com/alertbox/990321.html <cite> * a domain name that is easy to remember and easy to spell * short URLs * easy-to-type URLs * URLs that visualize the site structure * URLs that are "hackable" to allow users to move to higher levels of the information architecture by hacking off the end of the URL * persistent URLs that don't change </cite> i.e. http://bigmegamarket.com/grocery/fruits/bananas/ is cool, http://bigmegamarket.com/index.pl?id=231223412&sid=56765454151 is not. Again it doesn't always make implementation easy :-/ > Jean-Michel> Therefore I have to use HTTP authentication... > > Even though the user/password is transmitted *in the clear* on > *every single hit*, because you can't just use a session identifier? > This is so very wrong from a security perspective. I have to agree with you on that. Cookies are probably far better than HTTP authentication. But I cannot use cookies. Period. I wish I could, because this was what I did in the first place and it was working fine! Cheers, -- IT'S TIME FOR A DIFFERENT KIND OF WEB ================================================================ Jean-Michel Hiver - Software Director [EMAIL PROTECTED] +44 (0)114 255 8097 ================================================================ VISIT HTTP://WWW.MKDOC.COM