Re protection via Realms:
- a useful mechanism, but by itself might not do the whole job. For
example, if you
need to have users log into a specific domain (e.g. different clients
get different data)
(as happens in many apps) where the userid isn't enough info (one value
of Realms is
non-unique IDs), then you need to still force people thru a specific
login.
Re object in a session.
- Note that this can be fabricated by a hacker. For real security
you need to look at encrypting it with varying keys.
Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software solutions.
