On Thursday 22 November 2001 13:04, Mike Orr wrote: > On Thu, Nov 22, 2001 at 11:26:59AM -0800, Tavis Rudd wrote: > > > As can be guessed from what I've just written, it makes sense > > > to "extend" sessions to allow a user identity to be associated > > > with them. But no more than that should be involved; certainly > > > not what rights someone has. > > > > Totally agreed. Someone's 'rights' should not be stored using > > sessions. Although that's really up to the implementor of a > > particular 'rights management' system. > > However, you are both right. "Rights" are semi-permanent > information which belong in a User or Userrights object. The > session only needs a user identifier. Of course, with Basic > Authentication the user ID doesn't even need to be stored in the > session, but Basic Authentication has its own tradeoffs (not being > able to log out, not being able to re-log in as someone else).
Hmm, I've changed my mind about liking the term 'rights management'. It implies 'rights' associated the 'user', where I'd prefer to have 'permissions' associated with the 'resource'. Anyway, that's something for later ... _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
