Re: Security/authentication requirements for 1.3

[John Locke <..hidden..>]

Hi, Chris,

Why does the session need to time out? If we keep this RESTful, why
would we have a session at all?

Somebody's idea of setting http authentication to a known bad
user/password, and then having the server accept these credentials on a
certain page, has worked brilliantly here for logging out of http auth.

Cheers,
John

Chris Travers wrote:
> Hi all;
>
> Since we decided to go with HTTP authentication for 1.3, we have run
> into situations where existing functionality in session timeout cannot
> be safely maintained.  I guess I would suggest the following couses of
> action for 1.3:
>
> 1)  Offer a basic HTTP Auth module which has the following behavior
> when a session times out:
>    a)  Display a warning that discretionary locks have been released and
>    b)  Create a new session.
>
> 2)  Offer a cookie-based auth system which requires re-authentication
> when the session expires.
>
> Any objection to this direction?
>
> Best Wishes,
> Chris Travers
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Ledger-smb-users mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
>
> !DSPAM:472a4225243542060311252!
>
>   



-- 
John Locke
"Open Source Solutions for Small Business Problems"
published by Charles River Media, June 2004
http://www.freelock.com