[Design] Re: [Cosmo] [Proposal] Anonymous login with Ticket +
Password
Mimi Yin
mimi at osafoundation.org
Mon Aug 21 14:54:04 PDT 2006
On Aug 21, 2006, at 2:34 PM, Brian Moseley wrote:
> On 8/21/06, Mimi Yin <mimi at osafoundation.org> wrote:
>
>> + However, we don't want users to pass around plain English URLs
>> that would
>> be dead simple for everyone to hack (e.g. osaf.us/bcm/work)
>> + Machine-generated tickets are better used as a URL, something
>> the user
>> clicks on
>
> just to clear up any confusion, the url for the collection is no more
> or less hackable whether or not the url contains a ticket, if the
> server also requires a password to be presented.
To clarify again. would it be fair to say that an URL that does not
include a ticket IS more hackable if the sharer does NOT password
protect the share.
> what if, instead of using both a machine-generated, unmemorable ticket
> AND a user-generated, memorable password, we simply let the sharer
> choose the ticket string if he wants, letting the server generate a
> random one as it does today if the sharer doesn't care?
What if the user doesn't want to password protect the share?
Are you saying the 2 options should be:
+ Provide a URL (with embedded ticket) OR
+ Provide a URL (without embedded ticket) + password?
The only scenario where I think this would be a problem is if I
wanted to turn off password protection, I would need to send out a
new URL. But maybe we don't care about that.
What's the problem you see with having both an URL (with embedded
ticket) + a password?
Mimi
More information about the Design
mailing list