On Mon, 21 Jan 2008, Aristotle Pagaltzis wrote:
The part where web browsers really do suck – and I really mean
suck utterly terribly – is HTTP Auth, which makes you have to…
well, you don’t quite have to violate REST constraints, but you
are forced to traipse into grey areas like cookie-based auth (not
sessions!).
I think sessions _can_ be RESTful if they are part of the URI, though you
probably wouldn't want to use them for auth.
I _do_ use sessions in VegGuide.Org in what I think is a RESTful way.
Certain redirects will send you to a URI like
http://www.vegguide.org/user/login_form/-/a746d3cba351bde58debde610b40715d49ec4312
This user represents a unique thing, which is the login_form + a session.
I only use the session to hold very transient things, like error or
success messages after a form submission. In the case of an error, it also
holds the state of the form so we can repopulate it.
I try to be careful to keep sensitive information out of the session,
because they are in theory hikackable. In practice, that's unlikely, since
a session is only good for 5 minutes, and they're digest-ed with whatever
it is Catalyst::Plugin::Session uses.
-dave
/*===================================================
VegGuide.Org www.BookIRead.com
Your guide to all that's veg. My book blog
===================================================*/
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
