Re: [thredds] OPeNDAP Clients and Cookies

On Apr 1, 2013, at 5:34 PM, John Caron wrote:

> Hi kevin:
> 
> Cookies are part of standard HTTP, and are passed (both ways) in the HTTP 
> header.  Opendap is built on top of HTTP, and so any opendap client has a 
> mechanism for passing cookies. Whether they do so or not depends on the 
> client. I dont think they are required to (?).
> 
> Cookies are used to maintain session state on the server. This can mean that 
> the server only has to authenticate once for a session. That is mostly just a 
> performance issue, but in the worst case, the client could pop up a user 
> login window for each request, of which there are often many for any given 
> dataset access. But the client could also cache the authentication header and 
> send it each time. So cookies arent totally necessary, whats really important 
> is that the client does something reasonable.
> 
> There is also a subtle (and usually rare) problem on datasets that can change 
> while being accessed, when you dont manage state, blogged about here:
> 
> http://www.unidata.ucar.edu/blogs/developer/en/entry/indexed_data_access_and_coordinate
> 
> My own opinion is that state is necessary, though perhaps evil. Web servers 
> like apache and tomcat do all the heavy lifting, so i think its not a huge 
> burden on server writers. If I was king of opendap i would specify that 
> clients must return cookies.

Well, world domination aside ;-) I think we should probably talk about this in 
the context of DAP4, because cookies or other tokens are pretty important in 
lots of situations, esp. when authentication rears its head. 

James
> 
> I think if you follow standard HTTP practices, and an opendap client 
> misbehaves, its up to the client to improve or risk becoming obsolete. There 
> are plenty of robust HTTP libraries in all languages, so there is really no 
> good excuse for clients not to do something reasonable.
> 
> John
> 
> On 4/1/2013 11:04 AM, Kevin Manross wrote:
>> 
>> Greetings,
>> 
>> To server our data, we set a cookie once the user successfully logs in
>> to our website.  We check for that cookie upon return to the website.  I
>> have successfully written a filter for our experimental TDS and it seems
>> to handle web browser interactions by checking for cookies and
>> redirecting to our login if need be.  My next step is how to handle
>> opendap requests.
>> 
>> I have been reading up on the various ways to authenticate opendap
>> requests (primarily via THREDDS), many of which refer to the server
>> setting a session cookie upon successful login. My question is, how is
>> the session cookie checked upon subsequent requests by opendap clients
>> like IDL, Matlab, IDV, pydap, etc.?
>> 
>> We have a mechanism to allow users to obtain and store cookie
>> information for use in non-browser-sessions like scripts.  These scripts
>> usually involve wget which has a way to load cookies.  Do opendap
>> clients have any such way to send a cookie?
>> 
>> This is a major hurdle for our service and any feedback is greatly
>> appreciated!
>> 
>> Thanks!
>> 
>> -kevin.
>> 
>> --
>> Kevin Manross
>> NCAR/CISL/Data Support Section
>> Phone: (303)-497-1218
>> Email:manross@xxxxxxxx <mailto:manross@xxxxxxxx>
>> Web:http://rda.ucar.edu
>> 
>> 
>> _______________________________________________
>> thredds mailing list
>> thredds@xxxxxxxxxxxxxxxx
>> For list information or to unsubscribe,  visit: 
>> http://www.unidata.ucar.edu/mailing_lists/
>> 
> 
> _______________________________________________
> thredds mailing list
> thredds@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe,  visit: 
> http://www.unidata.ucar.edu/mailing_lists/ 

--
James Gallagher
jgallagher at opendap.org
406.723.8663



  • 2013 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: