[omniORB] Security/Authentication

[Sander Steffann]

Hi,

> > I've taken a gander at the mailing list archives, this
> > seems to be a question that has been asked in the past
> > but i could not find any consensus. Is
> > it a bad idea to hand out "sessions" kind of like
> > in a web application then specifically pass the session
> > id with each call?
>
> I am doing similar stuff, handing out "session cookies" from a separate
> authentication service. The "session cookies" are then piggy-backed on the
> IIOP requests using service contexts. The server can pick up the "session
> cookies" from the tagged-on service requests using portable interceptors
and
> validate the clients that way (asking the authentication service whether
the
> "session cookie" is OK or not).

Can you post an example of how you do this? It sounds interesting.

Thanks,
Sander.