> Simple answer ... there is no easy reliable alternative to: > a. cookie > b. Stick it in the request URL and/or data ... many alternatives in the > details ...neither of which are good places to store authentication tokens if exposure of such tokens would compromise either the resource being accessed or the user's identity. neither cookies nor URLs are typically well-protected against accidental exposure. they were not designed to be used for authentication. see RFC 2964 for more on use of cookies. Keith _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf