NYCPHP Meetup

NYPHP.org

[nycphp-talk] AJAX and State

Kenneth Downs ken at secdat.com
Wed Sep 19 06:56:37 EDT 2007


Elliotte Harold wrote:
> Daniel Convissor wrote:
>> On Fri, Sep 07, 2007 at 07:40:50AM -0400, Elliotte Harold wrote:
>>> Nonetheless, the username and password should be transmitted with 
>>> each request (in the HTTP header, not the URL)
>>
>> Are you saying the web browser should send the user name and password 
>> to the HTTP server on each request?  That's a lousy idea.
>>
>
> Yes I am, and it's not a lousy idea.  This follows directly from the 
> core principles of HTTP.  HTTP Basic authentication does that. HTTP 
> digest is a little more complex. And there are some other 
> alternatives. However the fundamental principle is that full auth data 
> must be sent with each request.
>
> Breaking that rule is going to cost you big time when you need to 
> scale an application. It very well may introduce single points of 
> failure into your app. You can architect around those, but only at the 
> cost of doing a lot more work with a lot more machines than you would 
> have had to do if your app had followed the design of HTTP instead of 
> working against it.
>

It is actually very appealing from the overall design viewpoint.  Since 
Andromeda logs you in to db server with the credentials you supply 
(instead of something generic) then we have lost all need for state.

The itch though is in entrusting the uid/pw to the browser's memory, 
which is easily exploitable.  I simply cannot believe that that data is 
adequately protected on an IE/Windows machine.

But then on the third hand the browser is trapping passwords anyway with 
various wallet mechanisms that I cannot prevent, so what the heck, right?

Right now I'm considering the judgment call between those two ideas.

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010




More information about the talk mailing list