Guy Hulbert wrote:
On Tue, 2005-25-10 at 11:56 -0400, Kevin Dangoor wrote:
snippet of JavaScript code that looks at the cookie's expiration and
How hard will it be to remove cookies from the app ... I'm working with
someone who avoids cookies religously.
Basically you have three options for maintaining your identity session:
1) HTTP Auth -- although not currently implemented by the TurboGears
identity management code, HTTP basic and digest credentials are passed
with each request. Unfortunately, there is no convenient way to log out
of an HTTP Auth session -- all options lead to presenting the visitor
with a new login dialog box he must dismiss. Icky.
2) Cookies -- The TurboGears identity management code uses a signed
cookie with a built in expiration. The expiration of the identity cookie
is separate from the expiration of the cookie itself (although both are
set to the same value). Because we can't trust a browser to actually
stop sending the cookie when it has expired, the expiration time is
included in the identity cookie value itself.
3) Url rewriting -- For religious zealots who can't abide cookies, you
can rewrite the URL to include a unique session ID. This is a lot of
work -- both for the app developer and the app server. You'd wind up
with URLs like the following:
http://myserver/app-path?sessionId=<absolute-gibberish>
or http://myserver/app-path/<absolute-gibberish>
or http://<absolute-gibberish>.myserver/app-path/
This makes book marking somewhat unpleasant. But it does work. My
attitude is if you don't want cookies, fine. You don't *have* to use my
app. (Naturally, I recognise others have other opinions.)
--
Jeff Watkins
http://metrocat.org/
