albert boulanger wrote:
DIGEST seems good in that it is encrypted and uses the Challange/Response like BASIC for every HTTP transaction -- matched well with the stateless nature of HTTP.
AFAIK, no browsers (maybe Mozilla, but that has the stability of a house of cards ;-) support Digest adn I'm pretty sure that Zope doesn't either :(
1) One should encrypt the info in the cookie
Definitely
2) How does one get around the stateless nature or HHTP in secure way using cookies? In other words, unless the HTTP transaction is challenged every time, how do you really know that someone is not trying to slip into an existing session?
Hehe, welcome to one of the biggest challenges on the web... ...that, and getting your CSS to eb compatible with all the major browsers ;-) cheers, Chris