Return-Path: 
 <dev-return-5058-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: (qmail 30975 invoked from network); 11 Jul 2009 00:15:00 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 11 Jul 2009 00:15:00 -0000
Received: (qmail 54991 invoked by uid 500); 11 Jul 2009 00:15:09 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 54898 invoked by uid 500); 11 Jul 2009 00:15:09 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 54888 invoked by uid 99); 11 Jul 2009 00:15:08 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Jul 2009 00:15:08 +0000
X-ASF-Spam-Status: No, hits=2.2 required=10.0
	tests=HTML_MESSAGE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of thadguidry@gmail.com
 designates 74.125.78.26 as permitted sender)
Received: from [74.125.78.26] (HELO ey-out-2122.google.com) (74.125.78.26)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Jul 2009 00:15:00 +0000
Received: by ey-out-2122.google.com with SMTP id 22so285755eye.55
        for <dev@couchdb.apache.org>; Fri, 10 Jul 2009 17:14:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :date:message-id:subject:from:to:content-type;
        bh=ftDug2ol8l00eYlImXOy3Qz5ZZp2pHc2NFxOEudq9a8=;
        b=W/cNzSN3e8CeHJ+CiWqlLSt5PVq+IvNncUAmJzR0yquM/64dEjiVLmcftCQww3u8fZ
         Tq46AdR54kV+CAvVXM2S+zMuL6t0zCVucuHC/5biPY2uuvx7CPfx1mRIqpxJjBKw1mv6
         0skj8oZpWU0s2rso5+IDQrZSRKBKfNRwOGeUs=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        b=j1UtW8GFDlDUWidinw74iBZxAn/2FVoz8jhisQjFwtwaW0/YlUffdzzOcjPN5KT3df
         6piiTFm7mTBScaQgUqm0IF3A1IODBRg1HBHDmd4qytCnppG79keGdUElJXx9Trul/hiK
         kKY+zjDC3/HYklKPh8Zd22Sop+BaAaEGCHxCg=
MIME-Version: 1.0
Received: by 10.210.42.13 with SMTP id p13mr1703321ebp.51.1247271279508; Fri,
	10 Jul 2009 17:14:39 -0700 (PDT)
In-Reply-To: <4A57D3D4.8090800@gmail.com>
References: <e282921e0907092308v463e842dy535abb012e7c76e7@mail.gmail.com>
	 <4A57405C.604@gmail.com>
	 <b7cd8ed10907100722n2f66a101y12bdcb01cdfbd291@mail.gmail.com>
	 <e282921e0907100950r4b5cd6b4h493e122becc30cc@mail.gmail.com>
	 <4A57D3D4.8090800@gmail.com>
Date: Fri, 10 Jul 2009 19:14:39 -0500
Message-ID: <a8b720180907101714h7f286284tcbe6e117051a2d10@mail.gmail.com>
Subject: Re: Cookie Auth
From: Thad Guidry <thadguidry@gmail.com>
To: dev@couchdb.apache.org
Content-Type: multipart/alternative; boundary=0015174bea248dbe97046e62f95f
X-Virus-Checked: Checked by ClamAV on apache.org

--0015174bea248dbe97046e62f95f
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

I myself would like to see OAuth support down the road.  Also there's
numerous OASIS standards that could be applied with a little help.

Anyone else?
-THAD

On Fri, Jul 10, 2009 at 6:50 PM, Mark Hammond <skippy.hammond@gmail.com>wrote:

> On 11/07/2009 2:50 AM, Chris Anderson wrote:
>
>  One man's feature creep is another's requirement... I try to keep a
>> level head about CouchDB features by leaving out the ones that every
>> application will do differently. If we can make a session handler that
>> CouchApps all use by default, it will take an entire territory of pain
>> away from application developers. If we leave it out, everyone will
>> implement it differently and that starts to be it's own problem.
>>
>
> I agree with the sentiment, but do wonder if this session handler really
> will be a handler everyone can use by default.  My experience with web based
> authentication has been that the biggest challenges are *integration* with
> existing auth schemes and concepts of 'session'. Integration directly with
> an external auth system (eg, NTLM), or with existing applications (eg,
> working with something like Zope's concept of security/roles) quickly means
> that one size rarely fits all in sophisticated environments.
>
> So while I don't question the utility of simple auth handlers (I agree many
> people will use them *first* while determining their real requirements or
> for simple environments), I still believe the focus should be on ensuring
> all the right hooks are in place so people can contribute or write handlers
> suited to a specific purpose, rather than trying to cover all these
> 'specific purposes' in a core module. Offering simple cookie or http-based
> auth scheme handlers as a 'sample' handler makes more sense and implicitly
> acknowledges we can't predict their specific use case.  Isn't that (from
> 1000 feet above) how Apache itself manages auth?  It is how IIS does.
>
> This is obviously just my opinion though - please take it for what it cost
> you ;)
>
> Cheers,
>
> Mark
>

--0015174bea248dbe97046e62f95f--