hwg-techniques archives Jan 2002 new search results previous next

Re: creating multiple accounts?

by "David C. Vogel" <hwg(at)vogelnet.com>

 Date:  Tue, 08 Jan 2002 22:00:28 -0500
 To:  Hank Marquardt <hmarq(at)yerpso.net>
 Cc:  hwg-techniques(at)mail.hwg.org
 References:  rog rog2
  todo: View Thread, Original 
<snip>

>The basic drill is this -- after you authenticate a user (lookup in a
>database) you assign a session identifier that relates to that user.
>That session id needs to be propogated from page to page within the
>protected part of the site.  At the top of every 'protected' page needs
>to be a code stub that checks for a valid session id before permitting
>access to the page.
>
>... an alterntative is to use Apache's authenication mechanism (assuming
>you're using Apache and have .htaccess abilities) then the user id and
>password are stored in the ENV array that you can access from your
>scripts (again then checking on all the protected pages for a valid
>user) ... this is probably easier to do; but has two disadvantages --
>you're stuck with the standard dialog box for authentication, and you
>can't associate data as nicely (think shopping cart).

Actually, one is not entirely "stuck with the standard dialog box for 
authentication".  One can use a script to add the 'basic authentication' 
information to a link URL in the following format to the protected section 
as follows:

http://username:password(at)domain.com/protectedDirectory/page.htm

This is not 100% satisfying although because I can not find a way to make 
parts of it work with all browsers (namely Opera).  Although Opera supports 
accessing protected directories with the above format, some browsers (IE) 
carry the username:password in the URL in subsequent page accesses (a 
security issue if people print pages or have people looking over their 
shoulder).  And when you do an absolute redirect so the URL losses the 
username:password, it is not sent in the HTTP headers any more with 
Opera.  All tested versions of NN and IE seem to work although.

I admit this is probably not worth the effort, but it seems to me MUCH 
easier to use basic authentication to protect pages that don't need more 
secure protection than to add scripts to each page one wants to 
protect.  It would be great to interface it with one's scripts.

A detailed description and example (I hope) is shown at: 
http://vogelnet.com/public.  Anyone with comments or further information to 
this, please point me to it.  Thanks.

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA