On Thu, Sep 1, 2011 at 09:23, Jean-Baptiste BRIAUD -- Novlog <
[email protected]> wrote:
> That's totally true. In other words : +1.
> I'd like to ask a question linked to that.
>
> If I maintain a state on the server, say using JEE session or other
> techno, it is simple to validate the user is login at *each* server request,
> as you said.
> To do that, we're using JEE filter.
>
> I would love not to have state on server so it become simply scalable (or
> simpler than when the server maintain state).
> Then, how to maintain security ?
> I try to find a way few years ago based on an "application cookie"
> containing a cyphered unique number that the server return for each request.
> Example
> login : return a
> 1st request send a + usual request value and return b + usual request
> return value
> 2nd request send b + usual request value and return c + usual request
> return value ...
>
> Unfortunately, I'm not sure it is secure and we didn't had more time to
> investigate that point so our server currently use session only for
> security.
>
> Any idea to improve that ?
>
You might take a look at what Google and the authentication community have
done for authentication.
http://code.google.com/apis/accounts/docs/OAuth.html
Whether this can be reduced to something that applies only to a single web
site, I don't know, but it may give you some ideas.
Derrell
------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
qooxdoo-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
