[
Lists Home |
Date Index |
Thread Index
]
At 10:16 PM -0800 1/5/04, Robert Koberg wrote:
>> I wish my bank offered this, yes. Given the ID they assigned, the
>> password is the only thing strongly protecting the account.
>
>that and some random session identifier for your session, right?
Not if they're using the web architecture properly. HTTP is a
stateless,sessionless protocol. There is no session, nor does there
need to be one. Each request, GET or POST, is an atomic operation on
some resource. For example, a bank might offer me the following URIs:
http://www.bankexample.com/elharo/accountsummary/
http://www.bankexample.com/elharo/transactionlist/
http://www.bankexample.com/elharo/transactionlist?startdate=20030101&enddate=20031212
http://www.bankexample.com/elharo/transferfunds/
etc.
Each of these is bookmarkable, linkable, referrable, irrespective of
where I come from. They are not dependent on any kind of session.
However, access to each of these resources would require my user name
and password, which I would supply once, and the browser would repeat
as necessary. If the browser forgets it (e.g. I quit the browser and
relaunch it) then I would have to type it in again.
They are, of course, dependent on the state of the resources. For
instance the actual data served as the representation of
http://www.bankexample.com/elharo/accountsummary/ would change as
deposits and withdrawals are made.
--
Elliotte Rusty Harold
elharo@metalab.unc.edu
Effective XML (Addison-Wesley, 2003)
http://www.cafeconleche.org/books/effectivexml
http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
|
