On Nov 13, 2007, at 11:48 AM, Michael Peters wrote:
Why is this considered "ticketless"? Isn't the challenge that you
mention below
really a ticket? And does the client need to present this ticket on
every request?
Yes, you're right - the challenge is a ticket -- and must be
presented on every request.
Perhaps this is a very bad semantic naming -- I meant that there is
no local store on the ticket - as it is self-validating.
Sounds an awful lot like mod_auth_tkt to me, or am I missing
something?
Its like mod_auth_tkt in design , but not in function
mod_auth_tkt does apache auth via cookies and apache - i need to
support a non-cookie and non-apache environment
this is meant to offer a security layer when doing a form style login
via Flash or Javascript over an insecure connection - so that a user
password is never sent in the open
i'm in the midst of writing the corollary flash and js libraries too
maybe mod_auth_tkt can support that via specific calls ?