Kenneth Downs wrote:
Should I email you a link allowing you to log into my customer's application and view confidential medical information?
User authentication is (usually) separate from the URL. You can e-mail me such a link if you wish, but without the username and password I wouldn't get in.
Nonetheless, the username and password should be transmitted with each request (in the HTTP header, not the URL) so that it doesn't matter whether I've switched browsers, rebooted my machine, or told my office manager to login under my name on her PC.
The resource is identified by a URL and nothing but a URL. Whether I am allowed to load that URL is a separate issue.
This is one point a lot of otherwise RESTful services like Amazon's E3 get wrong. My mailbox should have a URL like https://mail.google.com/mail/erharold and yours should have a URL like https://mail.google.com/mail/kdowns. Nonetheless, merely knowing the URL would not be sufficient to log either of us in to either mailbox.
-- Elliotte Rusty Harold [EMAIL PROTECTED] Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
