...but that *is* important: if you would be using a flow based authentication mechanism this is not a problem at all.
Why? If flow checks the authentication, I simply use a continuation
id from an authenticated user and I'm in the application.
sure, same for any authentication mechanism that stores the credentials inside the session. you cannot prevent that.
it's like the key to your house. if you have it you are in! that's how it is. otherwise you have to authenticate on each request.
But I am glad "simply use a continuation id" usually is not that simple ;-)
cheers -- Torsten
