>>>>> "Igor" == Igor Chudov <ichu...@gmail.com> writes:
Igor> In my case, in almost all instances, the only thing I would want to Igor> store is authenticated userid. The problem with that is public web browsers. You *cannot* ensure the expiration of an auth cookie, so you'll have to have some sort of server-side data to say "this user most recently authenticated at this time, so I still trust him". And once you've done that, why store *any* auth client side? Just brand the browser, as my article says. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <mer...@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion