Hi Keith,
Thanks for your response.
You mean to suggest that we should store the session details in form data?
Well... how do I, then, validate whether a valid session
(authenticated session) exists or not if I have to access resources
other than forms - like movie file, pdf, doc etc!
As you say, cookies are sometimes disabled (and for good reasons), how
do I track the session for non-form resources/files?
And it also means that I cannot simply move from one page to another -
if I'm putting validation data as form data, each link must be a
form-submit link with some option.
How far can this be justified?
--
Cheers,
Gaurav Vaish
http://www.mastergaurav.org
http://mastergaurav.blogspot.com
--------------------------------
On 5/12/05, Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu> wrote:
I have a situation where the clients do not have cookies enabled and
I have to authenticate through forms.
it's not appropriate to use cookies for authentication anyway. they weren't
designed to be authentication tokens and (at least as typically used) they're
not suitably protected from exposure. and as you point out, cookies are
sometimes disabled (and for good reasons).
for similar reasons, using part of a URL as an authentication token isn't
a good idea either.
form data may be somewhat better protected.
Keith
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf