[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Re: Cookies at XML Europe 2004 -- Call for Particip at

• To: Robert Koberg <rob@k...>
• Subject: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• From: Elliotte Rusty Harold <elharo@m...>
• Date: Tue, 6 Jan 2004 08:54:24 -0500
• Cc: XML-DEV <xml-dev@l...>
• In-reply-to: <3FFA51F0.7050402@k...>
• References: <Pine.LNX.4.44L0.0401051922020.4127-100000@s...><p06010202bc1fcbf7b9a4@[192.168.254.4]> <3FFA260B.902@k...><p06010206bc1fe8746afc@[192.168.254.4]> <3FFA51F0.7050402@k...>

At 10:13 PM -0800 1/5/04, Robert Koberg wrote:


>I must be missing something (definitely possible). If that URL is 
>what tells the server that the request is for a resource you would 
>not like others to access, then what does the password have to do 
>with it? Or are you saying there is some server session being 
>maintained (and so incurring all the overhead associated with it) (I 
>doubt something like amazon maintains sessions)? If so, and you use 
>a username to access the session, it still seems pretty insecure, at 
>least during your active session.
>

I think what you're missing is an understanding of how HTTP 
authentication works. Not surprising since it's very little used on 
the Web today. With HTTP authentication it is not enough to know the 
URI to load a page. You also need to provide a password and username, 
though not necessarily in the URL. For example, here's a URL for 
password protected page:

http://www.cafeaulait.org/staging/

That is the complete URL of one resource. Try and load it and see 
what happens. Unless you know the user name and password, you can't 
get in. Once you've typed in the URL and password, however, you can 
load it using only that URL. The browser remembers the username and 
password for you. (Modern browsers even have an option to remember 
this between sessions.)

However, there is no server side session state here. Each page in the 
ttp://www.cafeaulait.org/staging/  tree is loaded using the 
originally provided user name and password. You don't have to reenter 
it for each page. Nor do I have to tie a user name and password to 
one directory tree on my hard drive. I can configure the realms to 
suit my needs and assign different user names and passwords to 
different lists of resources and their corresponding URIs. It's quite 
flexible.

-- 

   Elliotte Rusty Harold
   elharo@m...
   Effective XML (Addison-Wesley, 2003)
   http://www.cafeconleche.org/books/effectivexml            
   http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA 

• Follow-Ups:
  • Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Michael Champion <mc@x...>

• References:
  • RE: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Rich Salz <rsalz@d...>
  • RE: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Elliotte Rusty Harold <elharo@m...>
  • Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Robert Koberg <rob@k...>
  • Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Elliotte Rusty Harold <elharo@m...>
  • Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Robert Koberg <rob@k...>

• Prev by Date: ANN: Syntext Serna WYSIWYG XML Editor V1.2
• Next by Date: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• Previous by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• Next by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• Index(es):
  • Date
  • Thread