[nycphp-talk] AJAX and State
Kenneth Downs
ken at secdat.com
Fri Sep 7 09:12:12 EDT 2007
Elliotte Harold wrote:
> Kenneth Downs wrote:
>
>> Should I email you a link allowing you to log into my customer's
>> application and view confidential medical information?
>>
>>
>
> Nonetheless, the username and password should be transmitted with each
> request (in the HTTP header, not the URL) so that it doesn't matter
> whether I've switched browsers, rebooted my machine, or told my office
> manager to login under my name on her PC.
That can only be done if the password is stored on the browser between
requests. No thanks!
At any rate, in principle I believe that sessions are a bad way to do
things, they just have that bag-on-the-side feel. The only permanent
use of a session in Andromeda is to store user information, notably
user_id and password. I do this only because I am not aware of a secure
session-less alternative. Any ideas are welcome.
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
More information about the talk
mailing list