Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

Re: Re: Detect logon ID from Browser

by TexasTess (Beadle)
on May 16, 2002 at 00:41 UTC ( [id://166891] : note . print w/replies, xml ) Need Help??

in reply to Re: Detect logon ID from Browser
in thread Detect logon ID from Browser

Hey! Thanks for the quick reply! Let me expand my question a little bit... I am going to require the user to enter a logon id before they are granted entry, I then want to verify that the logon ID and the individual entering are one and the same..then check to see they are on the list of accepted users. I don't want to check passwords nor do I want to require a password to gain entry.... Is this a bit clearer? Thanks in advance..

Replies are listed 'Best First'.
Re: Re: Re: Detect logon ID from Browser
by andreychek (Parson) on May 16, 2002 at 02:19 UTC
    Unfortunatly, what your looking for may not be possible. The problem is, it's really trivial for a browser to fake information like that, you'd be diving head first into a security nightmare.

    There may be a way around that though, but it might cost a few dollars. In the same way that a web server needs a digital certificate in order to do secure transactions, browsers can be given certificates too, in order to verify a person's identity. You'd have to go through a company like Verisign to do that, and you might end up spending $50 a user or so. On the server end, you could have some code to check the certificate the browser is presenting you with. If you recognize the certificate, you could authenticate them.

    Thats about the only way you can verify a users identity, without asking for a password. And then, that only works so long as the user doesn't have their certificate stolen ;-)

    Hope that helps!

    Lucy: "What happens if you practice the piano for 20 years and then end up not being rich and famous?"
    Schroeder: "The joy is in the playing."
Re: Re: Re: Detect logon ID from Browser
by davis (Vicar) on May 16, 2002 at 08:39 UTC
    I was recently in a similar position to you - needing an authentication system to be used in an internal intranet, and I really didn't like the idea of a password system - after all, we're a small friendly company, where everybody knows everybody else, and we can all be trusted, right?
    Your users, like mine, probably can be trusted, but I think that authentication is about more than just trust.

    I ended up building a system based on Apache::AuthCookie that required passwords and usernames, which works pretty damn well. To my surprise, there was not a murmer of complaint from the users - in fact the authentication has proved to be useful by providing accountability: "Ah, Fred moved this frobulator last Tuesday, I'll go talk to him"
    Basically, authentication systems can be well worth the effort, and a password-based system doesn't have to be that hard to use, so I'd advise thinking about whether the standard username/password combo would really be that much of a problem.
    This is total and utter opinion, so feel free to ignore my ramblings :-)
    Is this going out live?
    No, Homer, very few cartoons are broadcast live - it's a terrible strain on the animator's wrist