Forum OpenACS Development: Response to Login/Security tokens without cookies

Collapse
Posted by Jerry Asher on
Henry,

Can you describe a bit more about what you mean by authentication and login? I can see how session ids can be easily encoded into the URL, but I would worry about placing a permanent, bookmarkable, user id representing an authenticated user into the URL.

The nice feature of cookies is that you can put a great deal of data in them (so that makes it hard for users to just try random cookies) and they are invisible: ignoring any security through obscurity benefits, that makes them a friendly UI.

I notice that Amazon has taken to moving query parameters, including session ids, into some odd lookings URLs:

http://www.amazon.com/exec/obidos/ASIN/0140067485/o/qid=987113900/sr=2-1/107-1497231-4480558

And Tom Jackson has a tcl module for AOLserver that can be used to do something similar for AOLserver sites. I believe Saleonall.com is using his VAT module. If you visit http://saleonall.com/cat/input/keyboards/7063/onemfg.html you can see how his catalog is encoded into the URL and doesn't use the query field.

I am not sure what servlets are doing, but I hope to rsn.... And I would love to see this placed into the 4.x request processor and security handler....