Return-Path: 
 <apreq-dev-return-3388-apmail-httpd-apreq-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-apreq-dev-archive@www.apache.org
Received: (qmail 98422 invoked from network); 22 Sep 2005 14:06:13 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 22 Sep 2005 14:06:13 -0000
Received: (qmail 1230 invoked by uid 500); 22 Sep 2005 14:06:02 -0000
Delivered-To: apmail-httpd-apreq-dev-archive@httpd.apache.org
Received: (qmail 1196 invoked by uid 500); 22 Sep 2005 14:06:02 -0000
Mailing-List: contact apreq-dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:apreq-dev@httpd.apache.org>
List-Help: <mailto:apreq-dev-help@httpd.apache.org>
List-Unsubscribe: <mailto:apreq-dev-unsubscribe@httpd.apache.org>
List-Id: <apreq-dev.httpd.apache.org>
Delivered-To: mailing list apreq-dev@httpd.apache.org
Received: (qmail 1119 invoked by uid 99); 22 Sep 2005 14:06:01 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Sep 2005 07:06:00 -0700
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [81.209.165.42] (HELO duempel.org) (81.209.165.42)
    by apache.org (qpsmtpd/0.29) with SMTP; Thu, 22 Sep 2005 07:06:05 -0700
Received: (qmail 26126 invoked by uid 1001); 22 Sep 2005 16:04:02 +0200
Date: Thu, 22 Sep 2005 16:04:02 +0200
From: Max Kellermann <max@duempel.org>
To: Eli Marmor <marmor@netmask.it>
Cc: apreq-dev@httpd.apache.org
Subject: Re: Session/Cookie-Based Authentication Library
Message-ID: <20050922140402.GA26027@roonstrasse.net>
References: <43329F75.4FDF1D4A@netmask.it>
 <20050922132003.GA25264@roonstrasse.net> <4332B853.57B3D1A0@netmask.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4332B853.57B3D1A0@netmask.it>
User-Agent: Mutt/1.5.9i
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

On 2005/09/22 15:57, Eli Marmor <marmor@netmask.it> wrote:
> Sorry for being not enough clear: I didn't speak about HTTP
> authentication, and even not about a library doing the authentication
> for you. All I spoke was about some convenient routines that may save
> 80% of the work for people who implement cookies-based or session-based
> authentication.

I had understood well what you wanted.

> The username and the password are received from the user by a POST
> request, optionally encrypted (by SSL, or by JavaScript, etc.). From
> now on, the programmer "marks" the session, so following requests will
> be identified as coming from this specific user. This can be done in
> two ways: by setting a unique cookie (usually temporary), or by adding
> a unique hidden "&arg=val" to following requests/responses
> ("sessionization").

That's already a lot of assumptions you're making about the
authentication process, which a generic library like libapreq should
not know of.

Why do you want to add that to libapreq, instead of an add-on library?
An additional library can do the same job in saving this 80% of
people's work you spoke of.  Note: we agree that there is a demand for
such a library / module, and that using libapreq makes sense.

Max