Forum OpenACS Development: Response to Login/Security tokens without cookies

Posted by Jerry Asher on

Can you describe a bit more about what you mean by authentication and login? I can see how session ids can be easily encoded into the URL, but I would worry about placing a permanent, bookmarkable, user id representing an authenticated user into the URL.

The nice feature of cookies is that you can put a great deal of data in them (so that makes it hard for users to just try random cookies) and they are invisible: ignoring any security through obscurity benefits, that makes them a friendly UI.

I notice that Amazon has taken to moving query parameters, including session ids, into some odd lookings URLs:

And Tom Jackson has a tcl module for AOLserver that can be used to do something similar for AOLserver sites. I believe is using his VAT module. If you visit you can see how his catalog is encoded into the URL and doesn't use the query field.

I am not sure what servlets are doing, but I hope to rsn.... And I would love to see this placed into the 4.x request processor and security handler....