"Randal L. Schwartz" wrote:
>
> >>>>> "Jeffrey" == Jeffrey W Baker <[EMAIL PROTECTED]> writes:
>
> Jeffrey> Cookies are an acceptable way to make the browser remember
> Jeffrey> something about your site.
>
> Speak for yourself. I'd change that to "... one possible way ..." instead
> of "acceptable way", and add "... for a single session".
>
> Cookies are evil when used for long-term identification.
>
> There is no one-to-one correspondance between a user and a browser,
> and yet cookies presume so. In a given week, I might use four or five
> browsers, and a few of those will be in public places, like libraries
> or client's sites.
Randal, how do you suppose that HTTP basic auth works? The user agent stores
the username and password and transmits them to the server on every request.
This is exactly identical to a cookie which is set to have a short expiration
time. That's why I say replacing basic auth with cookies is acceptable: both of
them are a totally inadequate way to authenticate users.
-jwb
