On Tue, Jan 19, 2010 at 06:31:29PM +0000, Brian Candler wrote: > What I was thinking is that you could give the user a cookie, signed using > the same algorithm and secret as the HTTP cookie auth module; they could > then login using this cookie, and once logged in create their account.
... and the reason for doing this is it's not easy to validate some other ephemeral token in validate_doc_update, especially if the design doc is world readable (in any case, who wants to do an HMAC-SHA1 or RSA signature check in Javascript? :-) However I'm totally open to other suggestions for this.
