Elliotte Harold wrote:
Daniel Convissor wrote:
On Fri, Sep 07, 2007 at 07:40:50AM -0400, Elliotte Harold wrote:
Nonetheless, the username and password should be transmitted with
each request (in the HTTP header, not the URL)
Are you saying the web browser should send the user name and password
to the HTTP server on each request? That's a lousy idea.
Yes I am, and it's not a lousy idea. This follows directly from the
core principles of HTTP. HTTP Basic authentication does that. HTTP
digest is a little more complex. And there are some other
alternatives. However the fundamental principle is that full auth data
must be sent with each request.
Breaking that rule is going to cost you big time when you need to
scale an application. It very well may introduce single points of
failure into your app. You can architect around those, but only at the
cost of doing a lot more work with a lot more machines than you would
have had to do if your app had followed the design of HTTP instead of
working against it.
It is actually very appealing from the overall design viewpoint. Since
Andromeda logs you in to db server with the credentials you supply
(instead of something generic) then we have lost all need for state.
The itch though is in entrusting the uid/pw to the browser's memory,
which is easily exploitable. I simply cannot believe that that data is
adequately protected on an IE/Windows machine.
But then on the third hand the browser is trapping passwords anyway with
various wallet mechanisms that I cannot prevent, so what the heck, right?
Right now I'm considering the judgment call between those two ideas.
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
