On Thu, 12 Dec 2002 14:29:16 -0000, Peter Werner wrote: >hi all Hi Peter, et al
[snip] >i suppose it really depends on what you are developing, but take >heed. i >fully understand why cookie based authentication may be >unacceptable, but >consider maintainability and (long-term) scalability when you're >doing your >design and implementation. in the end you'll save someone a few grey >hairs [snip] >>documentation :). however, it seems to me that (for clients >>that can support this >>implementation of Digest, which seems to be just about >>everyone but MSIE) the nonce >>provides exactly the kind of state information that is >>required for login/logout >>authentication. >> >>of course, it trades cookies for that pop-up box (again), so >>if you're looking for >>cookiless, HTML form based logins, then it's probably not >>what you want. All comments highly appreciated. It's a university environment, with MSIE on all PCs. Under Apache V 1/Perl 5.6.0 I could not get the Apache::AuthCookieURL option working which munged URLs without requiring cookies. I've just upgraded to Apache V 2/Perl 5.8.0 and fought off a dept-wide Klez attack, with McAfee lying about having cleaned the machines, so one day soon I'll retry AuthCookieURL. -- Cheers Ron Savage, [EMAIL PROTECTED] on 14/12/2002 http://savage.net.au/index.html