Rolling my own basic authentication? - Django users

Message from discussion Rolling my own basic authentication?

magus

More options Aug 28 2006, 5:17 pm

From: "magus" <magnus.thern...@gmail.com>

Date: Mon, 28 Aug 2006 21:17:36 -0000

Local: Mon, Aug 28 2006 5:17 pm

Subject: Re: Rolling my own basic authentication?

  Reply to author
  |
  Forward
  | Print
  | View thread
  | Show original
  | Report this message
  | Find messages by this author
  

Sean Perry wrote:
> magus wrote:
> > Yes, but "cheapness" is only one of my concerns. I have two bigger
> > concerns:

> > 1. By limiting the external dependencies (i.e. the number of django
> > modules I use) I will lower the risk of being hit by a bug that I don't
> > control.
> > 2. AFAICS the session is represented by a cookie, for me this is
> > totally unnecessary since there will be no session. The webservice will
> > have no server-side state to keep track of. Also, there's a lot of
> > smart people out there and they keep on comming up with new and
> > interesting ways to use session cookies (session hijacking, session
> > fixation, etc.).

> if you never ask it to set a cookie, no cookie is ever created.

I believe you meant to say "if you never call login() no cookie is
created". That is good to know for the future if I ever actually NEED
the functionality that's available in contrib.auth :-)

Reply to author Forward