[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modperl
Subject:    Re: Authorization question
From:       Perrin Harkins <perrin () elem ! com>
Date:       2003-02-27 20:44:06
[Download RAW message or body]

Jean-Michel Hiver wrote:
>>It's pretty hard to truly separate these things.  Nobody wants to use
>>basic auth, which means there is a need for forms and handlers.
> 
> 
> How do you mean, 'nobody'? Users certainly don't mind!

Sure they do.  They want a nice HTML login screen, and features like 
"remember this login on this computer" (using cookies) which is standard 
on most major sites now.

> I admit that it's hard to get away without cookies and URI encoding
> schemes, but not impossible. There's a lot of tricks that you can do
> with path_info...

But path_info is URI encoding.  Also, most of the auth/access modules, 
including ones that stick to the auth and access phases, use cookies or 
URIs.  There really is no other option except basic auth.

If you build a generalized auth system, there may well be other people 
interested in it.  However, it would have to be very easy to change the 
mechanisms for maintaining state (cookies, URIs, basic auth) and 
checking credentials (any kind of database with any kind of schema). 
The latter probably means some custom development on every installation.

- Perrin

[prev in list] [next in list] [prev in thread] [next in thread]