Hi Keith, Thanks for your response. You mean to suggest that we should store the session details in form data? Well... how do I, then, validate whether a valid session (authenticated session) exists or not if I have to access resources other than forms - like movie file, pdf, doc etc! As you say, cookies are sometimes disabled (and for good reasons), how do I track the session for non-form resources/files? And it also means that I cannot simply move from one page to another - if I'm putting validation data as form data, each link must be a form-submit link with some option. How far can this be justified? -- Cheers, Gaurav Vaish http://www.mastergaurav.org http://mastergaurav.blogspot.com -------------------------------- On 5/12/05, Keith Moore <moore@xxxxxxxxxx> wrote: > > I have a situation where the clients do not have cookies enabled and > > I have to authenticate through forms. > > it's not appropriate to use cookies for authentication anyway. they weren't > designed to be authentication tokens and (at least as typically used) they're > not suitably protected from exposure. and as you point out, cookies are > sometimes disabled (and for good reasons). > > for similar reasons, using part of a URL as an authentication token isn't > a good idea either. > > form data may be somewhat better protected. > > Keith > _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf