On Wed, 26 Nov 2008 23:42:33 +0100, Calogero Alex Baldacchino <[EMAIL
PROTECTED]> wrote:
Martin Atkins wrote:
Your auth token here seems to me to be equivalent to a session cookie.
Yes, it does. But since session cookies are just that: cookies -- it isn't. An
authentication token is different from a session cookie in that it can be
persistent, based on the user's preferences, it won't be blocked by default
anywhere (once supported, that is) since it isn't using the same fragile
technology used by advertisers to track users and wreck their privacy and it
won't have any of the problems cookies have since it isn't a cookie.
Perhaps that token was meant as a cross-session one, surviving untill an
explicit logout
Yes, among other things. Since we're inventing a new token here, we can place
any semantics and functionality in it we want. Re-using cookies would take us
exactly zero steps in the right direction. Cookies have their place, but
authentication is theoretically imho not one of them. In practice, there's
really no other alternative today.
--
Asbjørn Ulsberg -=|=- [EMAIL PROTECTED]
«He's a loathsome offensive brute, yet I can't look away»