[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: [mv] Authentication, userdb, Group Login

To: <minivend-users@minivend.com>
Subject: Re: [mv] Authentication, userdb, Group Login
From: "Ton Verhagen" <ton@verhagen.net>
Date: Fri, 12 Nov 1999 17:41:47 +0800

On Fri, 12 Nov 1999, Dan Busarow wrote:
>******    message to minivend-users from Dan Busarow
<dan@dpcsys.com>     ******
>
>On Thu, 11 Nov 1999, Ryan Hertz wrote:
>> At 02:04 AM 11/11/1999 , you wrote:
>> >******    message to minivend-users from "Ton Verhagen"
>> >You are right, but how can we achieve that the employees do
not
>> >have to login by themselves? The idea is that the company
logs
>> >in, say once a day, and all employees (on diffferent PCs in
>> >office) can access the site without having to bother about
login
>> >procedures. Also, every employee should get his private
session.
>>
>>          Yikes!  That's rather complicated... in fact, I'd
almost say that
>> it is impossible to give each employee a private session
attached to the
>> employer's login.  It all depends on the level of security you
wish to
>> provide to the data.
>>          So the main focus is that no employee can access the
site unless
>> the 'company' or a main account has logged in?
>>          To have the employee identified by an
account/employer/name would
>> almost require a login procedure of some type.  If you were
using Apache
>> and the .htaccess scheme, you could encode a URL with the
account/password,
>> such as http://name:password@www.secretwebsiteproject.com.
However, this
>> method leaves the account and password visible in the
browser/history.
>>          I really can't think of any truly bullet-proof method
of doing it. :-(
>
>You could write your own auth module for Apache.  See
Apache::AuthDBI
>as a starting point for an auth module that uses DBI::DBD to
talk to
>a database.
>
>Then you could use REMOTE_ADDR to lookup say the first three
octets
>of the address and see if there is a current (today) record.  If
there
>is return an auth OK.  If not make them login as normal,
checking
>against a user/password table, this would be the company login.
>If this login succeeds you update the network table and return
auth
>OK.
>
>It's tricky and requires root and mod_perl, but is doable.
>

Thanks for your help so far!

Would it also be a viable and safe solution to use Java?
I mean, when the company does a login they'll get a kind of
checksum. This checksum should be stored on the company's system
(preferably done by Java script). When an employee accesses the
catalog they load a page whith some Java that reads the checksum
and modifies the selected URL in the page (adds the checksum
somewhere in the URL --- eg. one-click search). If the checksum
is okay (company has a current login) they get access, otherwise
they have to login (company login).

Ton

Follow-Ups:
- Re: [mv] Authentication, userdb, Group Login
  - From: Dan Busarow <dan@dpcsys.com>

Prev by Date: SSL on a seperate server ?
Next by Date: Re: [mv] SSL on a seperate server ?
Prev by thread: Re: [mv] Authentication, userdb, Group Login
Next by thread: Re: [mv] Authentication, userdb, Group Login
Index(es):
- Date
- Thread