> -----Original Message-----
> From: Rob Koopman [mailto:[log in to unmask]]
> Sent: 14 June 2002 19:35
> To: [log in to unmask]
> Subject: Re: Betr.: Re: result set model for srw
>
>
> Matthew wrote:
> >I agree - what Janifer is talking about is a user
> authentication token
> >- not a session id. The original objection to Janifer was that a
> >session id is much more easily forged than a username as
> password (as
> >Rob has pointed out a session id may be little more that an
> incremented
> >number). For an authentication token to represent a
> username/password
> >pair without opening up spoofing attacks you need something far
> >stronger than a session id - or a permanent open socket ala classic
> >Z39.50.
>
>
> I disagree. It is trivial to make a session ID secure.
<snip>
Fair enough, and similar for result set id.
Matthew
|