Hi, So i've been poking around the src for Sling's FormAuth handler to understand how its built out and ran into something slightly alarming (I could just not be following the code through properly though).
It seems that Sling Form Auth works like this: 1) User provides user/pass 2) User's user/pass are validated 3) User's autoinfo (password, secureTokenNum, etc.) are stored in the Session(??) 4) User is issued a cookie wi the userId and secureTokenNum 5) User makes a request w the cookie 6) Sling validates the cookie (looking up secureTokenNum in the Session) 7) User gets the authInfo (password) from the Session and sends it to the LoginModule Is my understanding of this correct? If so how does this solution scale across servers? Is there some persistence mechanism im missing? Or are users being logged in using something like trust credentials? Thanks
