Print

Print


> -----Original Message-----
> From: Rob Koopman [mailto:[log in to unmask]] 
> Sent: 14 June 2002 19:35
> To: [log in to unmask]
> Subject: Re: Betr.: Re: result set model for srw
> 
> 
> Matthew wrote:
> >I agree - what Janifer is talking about is a user 
> authentication token 
> >- not a session id. The original objection to Janifer was that a 
> >session id is much more easily forged than a username as 
> password (as 
> >Rob has pointed out a session id may be little more that an 
> incremented 
> >number). For an authentication token to represent a 
> username/password 
> >pair without opening up spoofing attacks you need something far 
> >stronger than a session id - or a permanent open socket ala classic 
> >Z39.50.
> 
> 
> I disagree. It is trivial to make a session ID secure.

<snip>

Fair enough, and similar for result set id.

Matthew