[
Lists Home |
Date Index |
Thread Index
]
At 10:13 PM -0800 1/5/04, Robert Koberg wrote:
>I must be missing something (definitely possible). If that URL is
>what tells the server that the request is for a resource you would
>not like others to access, then what does the password have to do
>with it? Or are you saying there is some server session being
>maintained (and so incurring all the overhead associated with it) (I
>doubt something like amazon maintains sessions)? If so, and you use
>a username to access the session, it still seems pretty insecure, at
>least during your active session.
>
I think what you're missing is an understanding of how HTTP
authentication works. Not surprising since it's very little used on
the Web today. With HTTP authentication it is not enough to know the
URI to load a page. You also need to provide a password and username,
though not necessarily in the URL. For example, here's a URL for
password protected page:
http://www.cafeaulait.org/staging/
That is the complete URL of one resource. Try and load it and see
what happens. Unless you know the user name and password, you can't
get in. Once you've typed in the URL and password, however, you can
load it using only that URL. The browser remembers the username and
password for you. (Modern browsers even have an option to remember
this between sessions.)
However, there is no server side session state here. Each page in the
ttp://www.cafeaulait.org/staging/ tree is loaded using the
originally provided user name and password. You don't have to reenter
it for each page. Nor do I have to tie a user name and password to
one directory tree on my hard drive. I can configure the realms to
suit my needs and assign different user names and passwords to
different lists of resources and their corresponding URIs. It's quite
flexible.
--
Elliotte Rusty Harold
elharo@metalab.unc.edu
Effective XML (Addison-Wesley, 2003)
http://www.cafeconleche.org/books/effectivexml
http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
|
