Timwi <timwi(a)gmx.net> writes: I'm currently thinking about the same problem for a personal Web site. The approach I'll probably choose is some hash in the URL. For example a hash of the User name and the Password hash. The "XML" or "Syndicate" or whatever-button will then link to the rss.php?user=user&id=HASH page. There I can easily check if the HASH is correct for the specified user. Every RSS reader I have used so far supported query strings. Regards Patrice -- Jesus answered, "I am the way and the truth and the life. No one comes to the Father except through me." (The Bible, John 14:6)

Timwi <timwi(a)gmx.net> writes: That's a valid argument. A dictionary attack might be a problem especially considering the problem that most users still use very weak passwords. So additionally we could add a date of the last change into the string where we calculate the hash from. I see that the user_touched field already exists in the database. Could we use this? So for example a calculation like $hash=sha1($user_id.$user_name.$user_password.$user_touched) Of course then we would need to give a user-friendly error message once the user can not be authenticated. I'm thinking about a single valid RSS item saying that the user could not be authenticated and explaining the fact, that a new URL must be used after every edit. Or if we don't have too many options in the settings yet, we could make including the $user_touched variable optional... :-) Regards Patrice -- Jesus answered, "I am the way and the truth and the life. No one comes to the Father except through me." (The Bible, John 14:6)

On Mar 7, 2004, at 23:09, Nikola Smolenski wrote: This seems like an impractical road with major usability problems. It's been suggested in the past to allow users to mark their watchlists as public, so for instance someone could go to http://en.wikipedia.org/wiki/Special:Watchlist/Brion_VIBBER to see my watchlist (if I marked it as public). A public watchlist could then also be syndicated as RSS. That's clean and simple: opt-in, so you're aware that your watchlist isn't 100% private, and we don't have to worry about constructing walls and barriers to keep people from accidentally letting it slip out (or get in themselves!) -- brion vibber (brion @ pobox.com)

BV> It's been suggested in the past to allow users to mark their BV> watchlists as public, so for instance someone could go to BV> http://en.wikipedia.org/wiki/Special:Watchlist/Brion_VIBBER to BV> see my watchlist (if I marked it as public). A public BV> watchlist could then also be syndicated as RSS. This would also make the perennial favorite "Who's watching this page?" feature practicable, too. ~ESP -- Evan Prodromou <evan(a)wikitravel.org> Wikitravel - http://www.wikitravel.org/ The free, complete, up-to-date and reliable world-wide travel guide