couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Hammond <>
Subject Re: Cookie Auth
Date Fri, 10 Jul 2009 23:50:44 GMT
On 11/07/2009 2:50 AM, Chris Anderson wrote:

> One man's feature creep is another's requirement... I try to keep a
> level head about CouchDB features by leaving out the ones that every
> application will do differently. If we can make a session handler that
> CouchApps all use by default, it will take an entire territory of pain
> away from application developers. If we leave it out, everyone will
> implement it differently and that starts to be it's own problem.

I agree with the sentiment, but do wonder if this session handler really 
will be a handler everyone can use by default.  My experience with web 
based authentication has been that the biggest challenges are 
*integration* with existing auth schemes and concepts of 'session'. 
Integration directly with an external auth system (eg, NTLM), or with 
existing applications (eg, working with something like Zope's concept of 
security/roles) quickly means that one size rarely fits all in 
sophisticated environments.

So while I don't question the utility of simple auth handlers (I agree 
many people will use them *first* while determining their real 
requirements or for simple environments), I still believe the focus 
should be on ensuring all the right hooks are in place so people can 
contribute or write handlers suited to a specific purpose, rather than 
trying to cover all these 'specific purposes' in a core module. 
Offering simple cookie or http-based auth scheme handlers as a 'sample' 
handler makes more sense and implicitly acknowledges we can't predict 
their specific use case.  Isn't that (from 1000 feet above) how Apache 
itself manages auth?  It is how IIS does.

This is obviously just my opinion though - please take it for what it 
cost you ;)



View raw message