Kenneth Downs wrote:
That can only be done if the password is stored on the browser between requests. No thanks!
I don't know about your browser but mine (and those of most of the people I know) store lots of passwords pretty much all the time. I prefer to trust Firefox's encryption and security to my ability to remember umpteen different passwords.
At any rate, in principle I believe that sessions are a bad way to do things, they just have that bag-on-the-side feel. The only permanent use of a session in Andromeda is to store user information, notably user_id and password. I do this only because I am not aware of a secure session-less alternative. Any ideas are welcome.
The key idea is that all authentication data is transmitted with each request, not merely a session token. There may well be ways to make that authentication data something other than a username and password.
You may wish to explore what Amazon E3 does. They have some sort of unique private-key/public key encryption scheme that might suit you. Google GData also has some sort of strange, custom authentication scheme though I haven't explored it in detail.
-- Elliotte Rusty Harold [EMAIL PROTECTED] Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
