[nycphp-talk] AJAX and State
Kenneth Downs
ken at secdat.com
Wed Sep 19 06:58:41 EDT 2007
Elliotte Harold wrote:
> Kenneth Downs wrote:
>
>> That can only be done if the password is stored on the browser
>> between requests. No thanks!
>
> I don't know about your browser but mine (and those of most of the
> people I know) store lots of passwords pretty much all the time. I
> prefer to trust Firefox's encryption and security to my ability to
> remember umpteen different passwords.
Me too, except that my customers still run IE on Windows.
>
>> At any rate, in principle I believe that sessions are a bad way to do
>> things, they just have that bag-on-the-side feel. The only permanent
>> use of a session in Andromeda is to store user information, notably
>> user_id and password. I do this only because I am not aware of a
>> secure session-less alternative. Any ideas are welcome.
>
> You may wish to explore what Amazon E3 does. They have some sort of
> unique private-key/public key encryption scheme that might suit you.
> Google GData also has some sort of strange, custom authentication
> scheme though I haven't explored it in detail.
>
You can issue them a key as well, and require that key. That adds
trouble to the login process, but does produce greater security.
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
More information about the talk
mailing list