 |
 |
> -----Original Message----- > From: Rob Koopman [mailto:[log in to unmask]] > Sent: 14 June 2002 19:35 > To: [log in to unmask] > Subject: Re: Betr.: Re: result set model for srw > > > Matthew wrote: > >I agree - what Janifer is talking about is a user > authentication token > >- not a session id. The original objection to Janifer was that a > >session id is much more easily forged than a username as > password (as > >Rob has pointed out a session id may be little more that an > incremented > >number). For an authentication token to represent a > username/password > >pair without opening up spoofing attacks you need something far > >stronger than a session id - or a permanent open socket ala classic > >Z39.50. > > > I disagree. It is trivial to make a session ID secure. <snip> Fair enough, and similar for result set id. Matthew