Authentication is one of those "cross cutting concerns": it touches the
application layer (session stuff) as well as the model layer (user &
credentials).
By asking for the password again, while not the first authentication,
this prevents against account hijacking the account if the physical user
leaves the session running without logging out.
Either way, as long as you can make a compelling argument as to why you
plan to put code where it goes, and it makes sense from a maintenance of
code perspective, you cannot be wrong.
-ralph
On 11/9/10 10:54 AM, Hector Virgen wrote:
> I think it's reasonable to re-use the auth adapter in this case.
>
> Although the user has previously authenticated (e.g. on the login page), the
> point in asking the user for the password again is to re-enforce
> authentication. If it were simply a matter of trusting the identity
> persisted in the session, there wouldn't be any point in asking for the
> password.
>
> --
> *Hector Virgen*
> Sr. Web Developer
> http://www.virgentech.com
>
没有评论:
发表评论