At 09:42 AM 4/22/00 -0500, Michael Schout wrote:
>On Thu, Apr 20, 2000 at 12:15:16PM -0400, DeWitt Clinton wrote:
> > The secure session has the following properties:
> >
> > *) The user is able to initiate a secure session by providing proper
> > credentials (i.e., a username and password pair) via a login process.
> >
> > *) The user is able to terminate the secure session via a logout
> > process.
> >
> > *) Secure sessions must be able to time out automatically.
> >
> > *) Secure sessions must *never* transmit sensitive data (such as the
> > password) over insecure channels.
>
>my Apache::TicketAccess module does all of this, but it uses Cookies for the
>transport mechanism. So if using cookies are okay, them Apache::TicketAccess
>may be a solution for some folks.
You might want to consider adding a subclass that will hook into a handler
that will interpret a mangled URL with the session id if the cookie does
not exist in order to give people a choice. Then, have an API in the class
that can create the mangled URL on an as-needed basis for the web
application author to hook into.
This is similar to how sessions in Java Servlets work. Cookies used by
defaults, but routines exist to help mangle the URLs for those that do not
wish to use them.
Later,
Gunther
__________________________________________________
Gunther Birznieks ([EMAIL PROTECTED])
Extropia - The Web Technology Company
http://www.extropia.com/
