[Web-SIG] Communicating authenticated user information
Alan Kennedy
pywebsig at xhaus.com
Sun Jan 22 20:08:05 CET 2006
[Alan Kennedy]
>> I agree about not sending this information back to the user: it's
>> unnecessary and potentially dangerous.
[Phillip J. Eby]
> Yep, it would be really dangerous to let me know who I just logged in to
> an application as. I might find out who I really am! ;)
Very droll ;-)
What if other information, such as meta-information about the auth
directory or database in which the credentials were looked up, was also
communicated through X-headers, e.g. server connection details, etc.
Happy for that to go back to the user too?
If X-headers are to be used in WSGI, I think there should be something
in the spec about whether or not they should be transmitted to the user.
Alan.
More information about the Web-SIG
mailing list