On Thu, Aug 13, 2009 at 10:21 PM, Ben Short<[email protected]> wrote: > 2009/8/13 Bertrand Delacretaz <[email protected]>: >> ...Sling doesn't use http sessions - when you authenticate via your >> browser and later run some javascript code, the browser uses cached >> credentials and adds them to the http requests. > > Do you have any links that detail this, its not something I have heard > of before. < insert embarrassed smiley here >...
I haven't found a simple explanation of how that works in browsers (and YMMV, see http://markmail.org/message/p3m26qccrmxtgsst), I guess the best explanation is http://www.ietf.org/rfc/rfc2617.txt, search for "preemptive" there. What happens is, once your browser has computed the "Authorization" HTTP header for a given path, it uses that same header for everything under that path, including requests done in javascript. Firefox clears this when you use its "clear private data - authenticated sessions" function, but that's not HTTP sessions, just cached credentials. HTH, -Bertrand
