Mike Kear said: > > Anyway, he says there's a security issue with using a token > throughout for a session, so each page view has to issue a new > token, and expire the last one.
What he wants is called "replay protection". It is considered a solved problem. Instead of using the half-baked design of your client, you should use the industry standard, peer reviewed, time tested design of HTTP Digest Authentication. See RFC 2617 for details. And the good news: it is build in to most browsers and webservers and you can build a custom client variables solution on top of it. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269985 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
