----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files. Don't make us guess your problem!!!
----------------------------------------------------------------
Nathan wrote:
> I am starting to work on an ASP (Application Service Provider)
> product for
> my company and I am just beginning to work on the security concerns. I
> plan on using server-side cookies for authentication. As I have yet to
> even begin I thought I might try and leverage some of your experiences.
We're just starting out in Jserv-land ... but I do know something about this
issue.
I don't think cookies are a "best pratices" for authentication.
I do see Cookies as a way of recognizing a user ... but the accepted thing
is to have them sign on ... via. a password ... and then maintain a "session
state" for all subsquent web pages. I.E. you assign a session ID for this
transaction and keep track of that user as long as they stay 'connected'.
Typically you time out the session after some period of in-activity.
I used to do that my imbedding the session id in all the URL links ... or in
a hidden form on the web page. I understand that jserve ... particullary
the jssi stuff ... has features for maintining session state et. al.
Bill Volk
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search Archives:
<http://www.mail-archive.com/java-apache-users%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
