Lists Home |
Date Index |
> > Why do sites insist on using cookies for user authentication?
> HTTP auth requires SSL for all connections or else passwords can be
> stolen -- do you include that in your "setup in 5 minutes" overhead?
> With cookies, you only need SSL on the login page if you make the
> be an opaque ID into server state that has a time-out. In general,
> login cookies are more secure with less overhead.
The login token stored in the cookie can always be embedded in the URL
path, which is what ASP.NET does when you set the "cookieless auth"
setting to true. I've also done this in non-ASP systems, though not
sure how easy to configure in idealliance specific case.