>>> Duane Murphy <[EMAIL PROTECTED]> 6/8/99 4:38:04 PM >>>
>Ack. I'll not get into why URL re-writing is not a good choice.
Well maybe you have peculiar circumstances.
I use sessions in my day johb without cookies or rewriting but all my
client requests are POSTs (so I have the browser send the session id
that way).
>Is this really true?
Yes. It';s really true.
Think about HTTP servers as finit state machines.
It's the state of the server that is important.
If you always return UNAUTHORIZED then the request will always be
unauthorized.
I know this sounds simple but that's coz it is.
>but what if they just
>cancel and re-request the page?
>Doesnt the browser just send the authenication information again?
Yeah, it might (depends on implementation - spec says it shouldn't
but hey!) but the server can still respond with UNAUTHORIZED.
>The question is does sending UNAUTHORIZED really cause the browser
to remove the credentials?
Maybe, maybe not. Why is this important?
Your "session" management should be clever enough to know when
something is valid and when not.
If you're going to do it properly you should use realms that expire.
> But Sessions Are A Good Idea
> It's even easier though if you use sessions - this is one of the
> reasons they're in the API.
>no we wont use URL rewriting
Well, you may have a particular issue as I say, but...
>Another oddity is the authentication dialog. People
>are comforted by it and its "convenience".
Yes, I use sessions with authentication.
For GNU-Paperclips I am building an API that looks like the session
API but is in fact a security API.
This will be molded into Paperclips authentication so when you do a
getRemoteUser() you will be able to get get session data.
>(I hope I have not taken this discussion away to far from the
original question.)
Authentication is an often ignored section of servlet work, in part
becuase support in the engines has historically not been very good and
HTTP itself is very weak.
I'm sure the list is quite happy to see some of these things
discussed.
I would like to know what you've got agsinst URL re-writing.
It seems perfectly acceptable to me (depending on implementation).
Nic
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
