<br><br><div><span class="gmail_quote">On 5/5/06, <b class="gmail_sendername">Nicola Larosa</b> <<a href="mailto:nico@teknico.net">nico@teknico.net</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
> HTTP auth can also be used in such a way that the "session" is simply<br>> the username that is being authenticated. nevow.guard attempts to make<br>> the distinction between cookie-based and http-auth-based sessions simply
<br>> an implementation detail.<br><br>Unfortunately they're functionally equivalent only as long as the same<br>credentials are only used on one browser instance at the same time. If one<br>user authenticates himself on two browsers with the same credentials, there
<br>can be two distinct cookie-based sessions, but only one http-auth based<br>"session".<br></blockquote></div><br>that would be the case for a NAIVE cookie-based session.<br><br>an intelligent session management implementation would track be able to tell from
<br>the auth request that the user had already started a session and just use that.<br><br>this kind of thing is already been written by many people, the OP needs to just use<br>something that already exists, session tracking code is not something you should be
<br>writting unless you are writing framework code or an app server.<br><br>and since he is confusing / equating authenticaiton == sessions he lacks a fundemental<br>understanding about security and authentication, authorization and stateful vs stateless semantics.
<br>