NYCPHP Meetup

NYPHP.org

[nycphp-talk] AJAX and State

Elliotte Harold elharo at metalab.unc.edu
Wed Sep 19 05:41:21 EDT 2007


Kenneth Downs wrote:

> That can only be done if the password is stored on the browser between 
> requests.  No thanks!

I don't know about your browser but mine (and those of most of the 
people I know) store lots of passwords pretty much all the time. I 
prefer to trust Firefox's encryption and security to my ability to 
remember umpteen different passwords.

> At any rate, in principle I believe that sessions are a bad way to do 
> things, they just have that bag-on-the-side feel.  The only permanent 
> use of a session in Andromeda is to store user information, notably 
> user_id and password.  I do this only because I am not aware of a secure 
> session-less alternative.  Any ideas are welcome.


The key idea is that all authentication data is transmitted with each 
request, not merely a session token. There may well be ways to make that 
authentication data something other than a username and password.

You may wish to explore what Amazon E3 does. They have some sort of 
unique private-key/public key encryption scheme that might suit you. 
Google GData also has some sort of strange, custom authentication scheme 
though I haven't explored it in detail.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/



More information about the talk mailing list