Daniel Convissor wrote:
On Fri, Sep 07, 2007 at 07:40:50AM -0400, Elliotte Harold wrote:
Nonetheless, the username and password should be transmitted with each
request (in the HTTP header, not the URL)
Are you saying the web browser should send the user name and password to
the HTTP server on each request? That's a lousy idea.
Yes I am, and it's not a lousy idea. This follows directly from the
core principles of HTTP. HTTP Basic authentication does that. HTTP
digest is a little more complex. And there are some other alternatives.
However the fundamental principle is that full auth data must be sent
with each request.
Breaking that rule is going to cost you big time when you need to scale
an application. It very well may introduce single points of failure into
your app. You can architect around those, but only at the cost of doing
a lot more work with a lot more machines than you would have had to do
if your app had followed the design of HTTP instead of working against it.
--
Elliotte Rusty Harold [EMAIL PROTECTED]
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
