[trendoman]

We'll have to convert it to some kind of token based authentication to make things work.

What a nice, interesting thread here

I have just read about this t-b-a and found, that token is passed to the destination url, probably similar to a http.get parameter. If so, tokens (md5 hash over username and time) can be created as clonable pages and url validated against the scope of existing tokens. Am I on the right track?

[KK]

@trendoman, the authentication cookie basically also contains a hashed token.
Maybe we could use the URL to pass this token as querystring parameter. Haven't given much thought to it, though, so there could be some implications I don't see prima-fascie.

[trendoman]

@trendoman, the authentication cookie basically also contains a hashed token.
Maybe we could use the URL to pass this token as querystring parameter. Haven't given much thought to it, though, so there could be some implications I don't see prima-fascie.

@KK, thanks. Querystring parameter is exactly what I meant it to be (or as part of custom routes, that's no big deal of difference). Then 2 things: 1) validate token to exist in database and not unpublished + probably same-ip/device-id check, 2) decompose it and see if the time is not expired & user exists. I will stop this bla-bla for a while, and see what the guys are working on

Helping me out at some points.. but should make this app more light as possible..