(Sorry for the delay in replying to this - was on vacation).
>> 7. Netscape's API -- Run something under Netscape's cookie model that
>> lets a user authenticate and get a Netscape cookie, which the browser then
>> uses to get subsequent pages, until the cookie expires, the browser exits,
>> or the user explicitly logs out. The server has to keep track of the
>> cookies and identities, though. Drawback is that it limits you to
>> Netscape's browsers, and Netscape's server.
>
>Actually, most of the commercial browsers support cookies.
>See http://www.research.digital.com/nsl/formtest/stats-by-test/NetscapeCookie.html
>(which in turn is under http://www.research.digital.com/nsl/formtest/home.html).
>
>The server does not need to keep track of the cookie. The cookie can
>be of a fairly generous size. All you need do is store, in the cookie,
>encrypted state information about the user, using a secret key only
>known to the server.
I don't know everything about cookies, so maybe I'm missing something
obvious - how does this prevent replay attacks? If you're just requesting
a stored cookie, you don't generate an authenticator.
--Ken
