comment on

Dear Masters,

please forgive my sillyness if you find any in the following text, but I think I've got something resembling a good idea and I would like to ensure that it may really work. I haven't seen this around, but if someone already had it please point me towards their solution. Moreover, I'm no expert in the field, but I tried to look around for a definitive solution and I did not find it.

The problem is quite simple: managing login of users from a web application. I've basically detected two broad families:

HTTP-based authentication, either Basic or Digest
CGI-based authentication, based upon some login form much like PerlMonk's

The first thing I understand is that all of them do not guarantee much confidentiality, so one would better use strong encription techniques by means of HTTPS/SSL. Noted.

A quick, bird's eye comparison boils down to the following for me:

HTTP-based authentication is cleaner with respect the application. It puts authentication outside the application logic, while still allowing the retrieval of the authentication data (notably the user's name) in order to provide differentiated services.
CGI-based authentication, OTOH, require much more attention to the programmer, which has to ensure that every execution path gets through the authentication process. While this is not a terribly difficult thing to do, it surely leaves much space to error or overlooked dark cases, which would open holes.
CGI-based authentication provides you with the ability to log out, while HTTP-based seems not (at least according to the PAUSE website).

Summing up, it seems that the HTTP-based solution should be the way to go if I want to be on the safe side (Using CGI::Application on perl.com, however a bit dated, seems to second this impression), but this logout-impossibility is really annoying. So, I finally came up with an idea for a solution.

When you authenticate using the HTTP-based approach, you're asking the permission to "explore" a specific realm. When you try to get into another realm, you're usually asked for a different username/password pair, even if they are pretty the same as the original realm. The idea is: why don't use a realm name that actually is a session token? In this way, I could guarantee a logout feature by simply expiring the realm - if the user wants to get in again, another token is generated to create a brand-new realm.

And now I ask myself: is it really this simple. Probabilities come in handy here: "dumb idea, it cannot work in real world for this, that and more" (80%), "there is something that does more than this, and quite better" (15%), "hey! this is a GREAT idea!" (1e-5%). The remainder of the cake is for a general "cases I've not thought about, but I had better do" entry.

I'd like to have a feedback before giving that 1e-5% a chance and dive into the various Apache modules to figure out how this could be accomplished. Thank you in advance for any counter-Meditation,

Flavio (perl -e 'print(scalar(reverse("\nti.xittelop\@oivalf")))')

Don't fool yourself.

In reply to Authentication in web applications by polettix

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


We don't bite newbies here... much
	PerlMonks