Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

account management standard

by Henri Icarus (Beadle)
on Apr 04, 2005 at 14:41 UTC ( #444701=perlquestion: print w/replies, xml ) Need Help??

Henri Icarus has asked for the wisdom of the Perl Monks concerning the following question:

This isn't a Perl specific question, but one that I hope fellow monks who have written web-apps might have insight into. It comes from my basic tiredness at having to constantly create and manage accounts on a plethora of web-sites that I visit. So, the question is:

Does anyone know of a standard that has been created, and even mildly adopted by that would allow for the following three actions:
  • create new account
  • login
  • change password

    This would be kind of similar to Microsoft's Passport or SAML, but instead of being a negotiation between the target web-site and MS's servers or centralized SAML repository, it would be a negotiation between the target web-site and an app on the client computer that would hand over control to a browser after the actions were initiated. Thus, like Passport or SAML service, it would allow me as a user to not have to type in my account info, over and over, as well as, perhaps, automate password changing, etc. but all my password data would be stored locally not on some remote server. Note that I'm not talking about "password wallet" style software which handles storing and keeping track of this info, but rather the actual process of the initiating and changing account info.

    If this doesn't exist, I intend to create it, and implement a base Perl module that handles the transaction and can simply be overridden by web-app developers. I would think that there should be SOAP or XML RPC standards for these functions but my searching hasn't found anything so far.

    -I went outside... and then I came back in!!!!

  • Replies are listed 'Best First'.
    Re: account management standard
    by Random_Walk (Prior) on Apr 04, 2005 at 15:08 UTC

      There was some discussion along these lines here Single Sign-On?


      Pereant, qui ante nos nostra dixerunt!
    Re: account management standard
    by BrowserUk (Patriarch) on Apr 04, 2005 at 15:39 UTC

      You may find one of the OS alternatives to MS Passport fits the bill.

      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      Lingua non convalesco, consenesco et abolesco.
      Rule 1 has a caveat! -- Who broke the cabal?
    Re: account management standard
    by dragonchild (Archbishop) on Apr 04, 2005 at 15:02 UTC
      Sounds like you first need to really hammer out specs. A mailing list might be helpful. Security items like this shouldn't be developed ad-hoc. I'm sure people like merlyn and perrin, among others, might have a few things to say on the topic.
    ssh certificates
    by basje (Beadle) on Apr 04, 2005 at 19:37 UTC
      To me it sounds like ssh certificates. If the certificates match (and the passphrase is entered, or cached somehow), you are granted access to your account. Otherwise you're not, or presented with an opportunity to enter a password. Now, this is for shell access, but it could imagine it being applied to web access.
        One of the projects I dream about doing if I suddenly find a lot of free time is trying to implement a web site login system using SSL client authentication. This way, you would access a https page, your browser presents a certificate to the site (in addition to the normal step of the site presenting a certificate to you), and if the site likes the certificate, it gives you the session cookie (or you could just stay in SSL mode for the whole session).

        This has a lot of advantages: The SSL protocol is widely implemented and accepted (including client authentication, no problem here at least with Mozilla and IE, I think), it is password-less (hence more secure) and it could be easily used for single-sign-on across different web sites.

    Re: account management standard
    by vaevictus (Pilgrim) on Apr 05, 2005 at 03:52 UTC
      I know I'll get lots of negative response for this... but I like using POE::Component::Jabber for these things... because I can use them for *EVERYTHING* ... not just websites;
    Re: account management standard
    by rir (Vicar) on Apr 05, 2005 at 20:23 UTC
      Maybe I'm misunderstanding your question. What I get out of your post:
      • maintain site, id, password info
      • login with this info
      • change password
      I use Galeon on Linux as a browser and it does the first two. When I reach a password page I generally just need to hit enter. I do not see the change password functionality as amenable to automation--there are too many varying security situations. (I mean in a practical sense as a lone user/client surfing the web.)

      There has been some noise about Linux browsers using some XML (iirc) to make bookmark files portable between browsers, I hope that password files are not far behind.

      I have just recently had cause to use Microsoft's XP browser; I was surprised at the lack of convenience features like finding when you type perlmonks. Is it also backward regarding passwords?

      Be well,

        Well, actually the thing I care about most is #3! Yes browsers will keep passwords for various web-sites and remember form values here and there, but what I was interested in is the ability to manage those accounts with a client side protocol.

        -I went outside... and then I came back in!!!!

    Log In?

    What's my password?
    Create A New User
    Domain Nodelet?
    Node Status?
    node history
    Node Type: perlquestion [id://444701]
    Approved by ysth
    Front-paged by Old_Gray_Bear
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others perusing the Monastery: (5)
    As of 2023-09-30 16:16 GMT
    Find Nodes?
      Voting Booth?

      No recent polls found