You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by John Saylor <jo...@WorldWinner.com> on 2000/10/17 15:24:51 UTC
Re: Remembering Authentication
Hi
----- Original Message -----
From: "Ian Frawley" <if...@acquist.co.uk>
> Is it possible to authenticate a user without having to use the
> unfriendly login box provided by browsers, without using cookies?
2 words: digital certificates
This probably means a lot of infrastructure [LDAP, CA, smart cards ...],
but it will let your users authenticate without doing anything more than
clicking the certificate they want to use for authentication.
\js
Re: Remembering Authentication
Posted by Ian Frawley <if...@acquist.co.uk>.
Security is very important as the user will be buying something and I have
to distinguish if the user is a casual browser[rules out smart cards] or a
regular shopper. Casual browsers need to be told how wonderful our content
is and asked 1)do they want to sign up or 2) Do they want to make an
immediate credit card payment[rules out smart cards again]. Where as regular
shoppers(subscribers) can just login.
Ian
----- Original Message -----
From: "John Saylor" <jo...@WorldWinner.com>
To: "Ian Frawley" <if...@acquist.co.uk>; <mo...@apache.org>
Sent: Tuesday, October 17, 2000 8:48 AM
Subject: Re: Remembering Authentication
> Hi
>
> ----- Original Message -----
> From: "Ian Frawley" <if...@acquist.co.uk>
>
>
> > Is it not just possible through a perl module as I am not very clued
> up on
> > digital certificates.
>
> Well, you have to have some credentials- and if it's not a cookie [bad
> idea anyway], and if it's not a username/password- what would it be?
>
> You could have IP address based authentication, but this is probably
> more prone to misconfiguration and forgery than digital certificates.
>
> How important is access control to your application? In other words,
> where is the line on how much effort you [and your users] are going to
> put into security at the expense of convenience?
>
> \js
Re: Remembering Authentication
Posted by Todd Chapman <mo...@chaka.net>.
What if the user added his username and password to the URL? If they are
valid the application could add those parameters to all links/form
actions, but the plaintext password would be replaced with some parameter
that would be good for the next access and expire after a specified period
of time. The inital URL could be generated from a fill-out form.
-Todd
On Tue, 17 Oct 2000, John Saylor wrote:
> Hi
>
> ----- Original Message -----
> From: "Ian Frawley" <if...@acquist.co.uk>
>
>
> > Is it not just possible through a perl module as I am not very clued
> up on
> > digital certificates.
>
> Well, you have to have some credentials- and if it's not a cookie [bad
> idea anyway], and if it's not a username/password- what would it be?
>
> You could have IP address based authentication, but this is probably
> more prone to misconfiguration and forgery than digital certificates.
>
> How important is access control to your application? In other words,
> where is the line on how much effort you [and your users] are going to
> put into security at the expense of convenience?
>
> \js
>
Re: Remembering Authentication
Posted by John Saylor <jo...@WorldWinner.com>.
Hi
----- Original Message -----
From: "Ian Frawley" <if...@acquist.co.uk>
> Is it not just possible through a perl module as I am not very clued
up on
> digital certificates.
Well, you have to have some credentials- and if it's not a cookie [bad
idea anyway], and if it's not a username/password- what would it be?
You could have IP address based authentication, but this is probably
more prone to misconfiguration and forgery than digital certificates.
How important is access control to your application? In other words,
where is the line on how much effort you [and your users] are going to
put into security at the expense of convenience?
\js
Re: Remembering Authentication
Posted by Gunther Birznieks <gu...@extropia.com>.
I should probably place a plug and say that the open source extropia
authentication framework for Perl handles digital certificates, session's
with and without cookies, the unfriendly login screen, form-based logon
screens in it's default capacity.
As a company working on real projects, we've also adapted it to 3rd party
authentication schemes so our applications could plug into proprietary auth
mechanisms including a couple banks and a WAP portal (where asking
passwords is a pain for WAP users).
The free stuff is in the extropiaperl project at sourceforge.net and the
docs are at http://www.extropia.com/ExtropiaObjects/ including an extremely
detailed chapter on the basic choices you basically have related to auth on
the web.
Later,
Gunther
PS It was mentioned you probably need LDAP for certs. The key word is
probably. But it does add an additional layer of security and many
*IMPLEMENTATIONS* of using digital certificates require the use of LDAP as
a lookup data store to double check that the cert has not been revoked in
real-time.
However, digital certs are not for the faint of heart, they aren't cross
browser friendly, are a pain in the ass to mint unless you have bought a
3rd party digital cert mechanism (or force the user to get one at
Verisign), and require the use of SSL throughout the entire user session.
At 02:40 PM 10/17/00 -0500, Ian Frawley wrote:
>Is it not just possible through a perl module as I am not very clued up on
>digital certificates.
>
>Thanks
>
>Ian
>----- Original Message -----
>From: "John Saylor" <jo...@WorldWinner.com>
>To: "Ian Frawley" <if...@acquist.co.uk>; <mo...@apache.org>
>Sent: Tuesday, October 17, 2000 8:24 AM
>Subject: Re: Remembering Authentication
>
>
> > Hi
> >
> > ----- Original Message -----
> > From: "Ian Frawley" <if...@acquist.co.uk>
> >
> > > Is it possible to authenticate a user without having to use the
> > > unfriendly login box provided by browsers, without using cookies?
> >
> > 2 words: digital certificates
> >
> > This probably means a lot of infrastructure [LDAP, CA, smart cards ...],
> > but it will let your users authenticate without doing anything more than
> > clicking the certificate they want to use for authentication.
> >
> > \js
Re: Remembering Authentication
Posted by Ian Frawley <if...@acquist.co.uk>.
Is it not just possible through a perl module as I am not very clued up on
digital certificates.
Thanks
Ian
----- Original Message -----
From: "John Saylor" <jo...@WorldWinner.com>
To: "Ian Frawley" <if...@acquist.co.uk>; <mo...@apache.org>
Sent: Tuesday, October 17, 2000 8:24 AM
Subject: Re: Remembering Authentication
> Hi
>
> ----- Original Message -----
> From: "Ian Frawley" <if...@acquist.co.uk>
>
> > Is it possible to authenticate a user without having to use the
> > unfriendly login box provided by browsers, without using cookies?
>
> 2 words: digital certificates
>
> This probably means a lot of infrastructure [LDAP, CA, smart cards ...],
> but it will let your users authenticate without doing anything more than
> clicking the certificate they want to use for authentication.
>
> \js