Re: [protect] and identification

This WebDNA talk-list message is from

2008


It keeps the original formatting.
numero = 70294
interpreted = N
texte = I've used the http authentication successfully and it ends up being a pretty frustrating experience for the user unless they quit the browser. Different browsers retain the http authentication from the last successful response so I would be cautious with anything less than a quit. I would limit http authentication to situations where the browser will be quit or where you have an automated client like a feed client. The best way to go is via a login cookie with either (1) a session stored or (2) an encrypted user_id in the cookie. With (1) you need to store sessions on the server and that means flushing expired sessions. With (2) you need to ensure the encryption is strong and that expirations cannot be reset by a user. Bill P.S. Here is some pseudo code for the functions of login/out and authentication where the userid is encrypted: login/out page reset user cookie to blank username and password form lookup username and password if matched, set encrypted user cookie with user_id and a date/time stamp redirect to account page authenticated/protected pages getcookie for encrypted user_id unencrypt and lookup username/password, check that cookie is still fresh if not matched, redirect to login (optionally store function user attempted to access to redirect upon successful login) else, continue with function On Fri, May 30, 2008 at 12:59 PM, Donovan Brooke wrote: > Charles Kline wrote: >> >> Because it offers no "Log Out" feature which was part of the original >> request. > > I think one *could* interact with the DOM via [authenticate].. > but does anyone really do that these days? ;-) > > SMSI's sitebuilder is based off of authenticate and, sort of, > emulates "logging off", by having the ability to log in as > another user. (so I guess you could create this function by > logging off into a faux user) > > In all the years I've worked with WebDNA, I've never > built anything with authenticate.. so I can't really > say for sure what would work there.. but I speculate it > is possible. > > Donovan > > > > -- > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > DONOVAN D. BROOKE EUCA Design Center > <- Web Development, DTP, Consulting, and Labels -> > <- Fabricated Art (Metal, Glass, Kustom Paint) -> > PH:> (608) 770-3822 | FAX:>(608) 291-2024 > WEB:> http://www.euca.us & http://www.egg.bz > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [protect] and identification ( "William DeVaul" 2008)
  2. Re: [protect] and identification ( Donovan Brooke 2008)
  3. Re: [protect] and identification ( Charles Kline 2008)
  4. Re: [protect] and identification ( Matthew Bohne 2008)
  5. Re: [protect] and identification ( "Michael A. DeLorenzo" 2008)
  6. Re: [protect] and identification ( Charles Kline 2008)
  7. [protect] and identification ( Lawrence 2008)
I've used the http authentication successfully and it ends up being a pretty frustrating experience for the user unless they quit the browser. Different browsers retain the http authentication from the last successful response so I would be cautious with anything less than a quit. I would limit http authentication to situations where the browser will be quit or where you have an automated client like a feed client. The best way to go is via a login cookie with either (1) a session stored or (2) an encrypted user_id in the cookie. With (1) you need to store sessions on the server and that means flushing expired sessions. With (2) you need to ensure the encryption is strong and that expirations cannot be reset by a user. Bill P.S. Here is some pseudo code for the functions of login/out and authentication where the userid is encrypted: login/out page reset user cookie to blank username and password form lookup username and password if matched, set encrypted user cookie with user_id and a date/time stamp redirect to account page authenticated/protected pages getcookie for encrypted user_id unencrypt and lookup username/password, check that cookie is still fresh if not matched, redirect to login (optionally store function user attempted to access to redirect upon successful login) else, continue with function On Fri, May 30, 2008 at 12:59 PM, Donovan Brooke wrote: > Charles Kline wrote: >> >> Because it offers no "Log Out" feature which was part of the original >> request. > > I think one *could* interact with the DOM via [authenticate].. > but does anyone really do that these days? ;-) > > SMSI's sitebuilder is based off of authenticate and, sort of, > emulates "logging off", by having the ability to log in as > another user. (so I guess you could create this function by > logging off into a faux user) > > In all the years I've worked with WebDNA, I've never > built anything with authenticate.. so I can't really > say for sure what would work there.. but I speculate it > is possible. > > Donovan > > > > -- > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > DONOVAN D. BROOKE EUCA Design Center > <- Web Development, DTP, Consulting, and Labels -> > <- Fabricated Art (Metal, Glass, Kustom Paint) -> > PH:> (608) 770-3822 | FAX:>(608) 291-2024 > WEB:> http://www.euca.us & http://www.egg.bz > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ "William DeVaul"

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Validation (2000) Tax Rate (2000) NewCart+Search with one click ? (1997) Upgrading old WebCat Database Files (1997) ShowIf Question (1998) WebMerchant 1.6 and SHTML (1997) WebCat2b13MacPlugIn - [showif][search][/showif] (1997) Cookies not being set on PC/ Explorer (2000) possible, WebCat2.0 and checkboxes-restated (1997) WebCat2: Formulas.db question (1997) Open Market's Transact & Macintosh (1998) determining plug-ins? (1998) Encrypt/Decrypt (2007) easy numfound search? (2001) Emailer again (1997) WebCatalog Mac and cgi-bin (WebSTAR 2.0) (1997) [WriteFile] problems (1997) Cart ID (1999) shoppingcart reload qty (1997) Virtual hosting and webcatNT (1997)