[nycphp-talk] AJAX and State
Elliotte Harold
elharo at metalab.unc.edu
Wed Sep 19 05:48:25 EDT 2007
Daniel Convissor wrote:
> On Fri, Sep 07, 2007 at 07:40:50AM -0400, Elliotte Harold wrote:
>> Nonetheless, the username and password should be transmitted with each
>> request (in the HTTP header, not the URL)
>
> Are you saying the web browser should send the user name and password to
> the HTTP server on each request? That's a lousy idea.
>
Yes I am, and it's not a lousy idea. This follows directly from the
core principles of HTTP. HTTP Basic authentication does that. HTTP
digest is a little more complex. And there are some other alternatives.
However the fundamental principle is that full auth data must be sent
with each request.
Breaking that rule is going to cost you big time when you need to scale
an application. It very well may introduce single points of failure into
your app. You can architect around those, but only at the cost of doing
a lot more work with a lot more machines than you would have had to do
if your app had followed the design of HTTP instead of working against it.
--
Elliotte Rusty Harold elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
More information about the talk
mailing list