|No such thing as a small change|
Authentication in web applicationsby polettix (Vicar)
|on Jun 07, 2005 at 23:37 UTC||Need Help??|
please forgive my sillyness if you find any in the following text, but I think I've got something resembling a good idea and I would like to ensure that it may really work. I haven't seen this around, but if someone already had it please point me towards their solution. Moreover, I'm no expert in the field, but I tried to look around for a definitive solution and I did not find it.
The problem is quite simple: managing login of users from a web application. I've basically detected two broad families:
The first thing I understand is that all of them do not guarantee much confidentiality, so one would better use strong encription techniques by means of HTTPS/SSL. Noted.
A quick, bird's eye comparison boils down to the following for me:
When you authenticate using the HTTP-based approach, you're asking the permission to "explore" a specific realm. When you try to get into another realm, you're usually asked for a different username/password pair, even if they are pretty the same as the original realm. The idea is: why don't use a realm name that actually is a session token? In this way, I could guarantee a logout feature by simply expiring the realm - if the user wants to get in again, another token is generated to create a brand-new realm.
And now I ask myself: is it really this simple. Probabilities come in handy here: "dumb idea, it cannot work in real world for this, that and more" (80%), "there is something that does more than this, and quite better" (15%), "hey! this is a GREAT idea!" (1e-5%). The remainder of the cake is for a general "cases I've not thought about, but I had better do" entry.
I'd like to have a feedback before giving that 1e-5% a chance and dive into the various Apache modules to figure out how this could be accomplished. Thank you in advance for any counter-Meditation,
Flavio (perl -e 'print(scalar(reverse("\nti.xittelop\@oivalf")))')Don't fool yourself.