[Twisted-Python] Re: cred and stateless protocols

[Phil Mayers]

Nicola Larosa wrote:
>> HTTP auth can also be used in such a way that the "session" is
>> simply the username that is being authenticated.  nevow.guard
>> attempts to make the distinction between cookie-based and
>> http-auth-based sessions simply an implementation detail.
> 
> Unfortunately they're functionally equivalent only as long as the
> same credentials are only used on one browser instance at the same
> time. If one user authenticates himself on two browsers with the same
> credentials, there can be two distinct cookie-based sessions, but
> only one http-auth based "session".

If you were using digest auth, correct use of the headers (I can't
remember which one off the top of my head) it would allow >1 http auth
session. I looked at this a while back; the issue being few orgs. have
an authentication database that can serve digest.

There's nothing to stop you sending a cookie AND requiring
WWW-Authenticate. Whether a non-browser client would see and round-trip
the cookie is another matter of course.

Possibly judicious use of 302s and url-based sessions would suffice, but
I don't know if that would impress or enrage REST purists - arguably you
could say the redirect was to a "representation" of the object hierarchy 
- google do something similar with the gdata API and rel="edit" for 
Atom+HTTP based deletes.