On 03/05/2010 12:11 PM, Mark Rajcok wrote: > With this approach, how to you handle user authorization changes, say by an > administrator? > In other words, how to you handle invalidating the auth cookie? Wouldn't a > database lookup be required to ensure the auth cookie's info is still > valid/current?
If you need auth changes to be immediately reflected then yes you'll need to check on every request. For the most part though, this isn't required. If it's immediate if they aren't logged in, but if they are it takes a few minutes, then that's ok for most uses. > (I started down this road, but when I implemented my admin pages and started > testing, I found that newly unauthorized users still had access because of > the (old) auth cookie data. I couldn't figure out a way around this, > without hitting the database to check the auth cookie, at which point I > didn't see the value of the auth cookie anymore.) I still like to keep them separated since they are logically different, but I'm not a zealot on that point. -- Michael Peters Plus Three, LP ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################
