Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??
I'm not sure what browser you're using where each authenticated page request requires two hits, but IE will send authentication information for all subsequent hits in the same area without being asked. The first request obviously is rejected on the grounds that no authentication information is provided, but after that the browser should know to send it automatically. You are correct about the fact that with one "session key" (being the username), only one session can be active (two browsers going to the same place share state information). In many cases, this is acceptable, but if you want separate state information, a session key is desirable. The advantage here, though, is that the session key need not be cryptographically secure. All it needs to do is distinguish between one instance of a user and another. At least, that's how I would code it. Another user trying to use the same session key would be noticed by the script as someone else trying to use another person's key, or as an invalid key (since that key doesn't exist on the system for that user; each key would be "local" to that user.. *shrug*). Implementation is up to the coder.

As far as going back and forth between authenticated and unauthenticated portions of the site, you wouldn't even need to tag them with a cookie for unauthenticated portions. The moment they follow a link back into the protected area, their visit is authenticated again (silently) and if you specify appropriate path information for the cookies, the cookies get sent again. If you're concerned with their identity for pages X Y and Z, make those pages protected if you can.

I'm not saying HTTP authentication is always better than using cookies, but in many cases it's overlooked for whatever reason, and I was just trying to point that out.

In reply to RE: RE: Answer: Security: Cookies vs HTTP authentication by Fastolfe
in thread Security: Cookies vs HTTP authentication by rodry

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (7)
As of 2024-04-18 21:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found