Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you were to re-authenticate the user on every request, how do you have the client send the password to the server on every request without making the user enter it every time?


By storing it in a cookie - oh :-)

I suppose you could come up with some scheme where you create a new cookie with every request, a kind of one-time cookie to prevent session hijacking. Probably not worth it and not 100% reliable, though.

I guess just trusting in cookies is the only real option.

Or HTTP BasicAuth, it sends the password with every request I think (unencrypted, I know). In either case in theory you need HTTPS.


Oh man, please tell me I'm misreading you, and you don't actually store your users' usernames and passwords in a cookie.


No of course not. I mean yes, you misread me.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: