[Seaside] Efficient & trustable authorisation checks?

[Tim Rowledge]

Any thoughts on how to efficiently handle authorisaton checks? After
all, my is expected to handle quite large numbers of students
(certainly hundreds, hopefully thousands) so obviously doing an ID
lookup everytime is a poor choice if it is avoidable. What do other
systems do?

First thing that springs to mind is simply to flag the completed
authorisation; that requires trusting it to be correct, maybe a worry?
It seems like the current scheme of leaving the session id in the url
risks people simply passing the entire url to a buddy. Has anyone done
any work with using cookies for this - is it any more secure?

tim

-- 
Tim Rowledge, tim@sumeru.stanford.edu, http://sumeru.stanford.edu/tim
Everybody needs a little love sometime; stop hacking and fall in love!