Elliotte Harold wrote:
Kenneth Downs wrote:
That can only be done if the password is stored on the browser
between requests. No thanks!
I don't know about your browser but mine (and those of most of the
people I know) store lots of passwords pretty much all the time. I
prefer to trust Firefox's encryption and security to my ability to
remember umpteen different passwords.
Me too, except that my customers still run IE on Windows.
At any rate, in principle I believe that sessions are a bad way to do
things, they just have that bag-on-the-side feel. The only permanent
use of a session in Andromeda is to store user information, notably
user_id and password. I do this only because I am not aware of a
secure session-less alternative. Any ideas are welcome.
You may wish to explore what Amazon E3 does. They have some sort of
unique private-key/public key encryption scheme that might suit you.
Google GData also has some sort of strange, custom authentication
scheme though I haven't explored it in detail.
You can issue them a key as well, and require that key. That adds
trouble to the login process, but does produce greater security.
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
