Are you talking about what happens when user requests are load balanced and a request could potentially go to different servers?
I'm not sure what the detail is for the form auth handler but could be the secure token is temporary stored in the user's JCR node? Sarwar On Tue, Apr 3, 2012 at 3:04 PM, David G. <[email protected]> wrote: > Hi, > > So i've been poking around the src for Sling's FormAuth handler to > understand how its built out and ran into something slightly alarming (I > could just not be following the code through properly though). > > It seems that Sling Form Auth works like this: > > 1) User provides user/pass > 2) User's user/pass are validated > 3) User's autoinfo (password, secureTokenNum, etc.) are stored in the > Session(??) > 4) User is issued a cookie wi the userId and secureTokenNum > 5) User makes a request w the cookie > 6) Sling validates the cookie (looking up secureTokenNum in the Session) > 7) User gets the authInfo (password) from the Session and sends it to the > LoginModule > > Is my understanding of this correct? > > If so how does this solution scale across servers? Is there some > persistence mechanism im missing? Or are users being logged in using > something like trust credentials? > > Thanks >
