----- Original Message ----- From: "Jeremy Cowgar" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 15, 2003 9:00 AM Subject: [AOLSERVER] Best way for user authentication?
> The first method I know is http authentication which will pop up a dialog box > and ask the user for their information. I would like to try to avoid this > because it's not quite as user friendly as having a login form. It would be nicer if we could easily and dynamically change who is on the auth list for the pop-up dialogs, but I am not good enough yet to hack the current scheme to allow on the fly changes.. as it sits you have to restart the server to make any changes to the access list.. not good for a site that has a changing user base. > The second method is using cookies. I can handle this, but ensuring that the > cookie is read for all .adp requests, that it is available in all my tcl > methods, in the included adp_ files, etc... that is confusing me a little. > > I am certian their are other ways as well. > > Can anyone give me a little info or point me to an information source on this > subject? On my sites that use user authentication I use a mix of cookies using Daniel Stasinski's cookie package (http://www.scriptkitties.com) and pre-auth filters.. I lock down an entire subdirectory tree of my site using a pre-auth filter setup that will redirect to an error page if they have a valid session. When they log in to the site initially they get a cookie set and I put into a database entry a corresponding session ID. If there isn't a session id in the database, or if they don't have the cookie set I redirect them to that error page that tells em to log in and use javascript. Remember that you can't use a ns_redirect after setting the cookie, since the browser will toss the cookie away when it gets the redirect header, you need to use the http meta refresh.. and put a link on the page for them to go through manually if their browser doesn't pick up the refresh correctly. here is a good chunk of what I have set up. It's not particularly efficient (and may wordwrap) but it does the trick for me. ns_register_filter preauth GET /hot/*.adp checkforsessionid args ns_register_filter preauth GET /hot/*.js checkforsessionid args ns_register_filter preauth GET /hot/*.css checkforsessionid args ns_register_filter preauth GET /hot/*.jpg checkforsessionid args ns_register_filter preauth GET /hot/*.gif checkforsessionid args ns_register_filter preauth GET /hot/ checkforsessionid args proc get_sessionid { conn } { set retval "" set host [get_host $conn] set jar [ns_getallcookies $conn] set sessionid [ns_getcrumble $jar userinfo sessionid] set retval $sessionid return $retval } proc has_sessionid { conn } { set retval 0 set sessionid [get_sessionid $conn] if { ![string match $sessionid ""] } { set retval 1 } return $retval } proc checkforsessionid { conn args why } { set ref [get_referrer] set validsession 0 set username [get_cookie_username $conn] set sessionid [get_sessionid $conn] if { [has_sessionid $conn] } { set rowset [ns_set new] ns_set put $rowset username $username if { ![catch { set db [ns_db gethandle] } theerror] } { if { ![catch { set foundrec [db_findrowbyid $db "onlineusers" $rowset] } theerror] } { if { $foundrec != "" } { set dsessionid [ns_set iget $foundrec sessionid] if { [string match $sessionid $dsessionid] } { set validsession 1 } } } else { log_error $theerror } ns_db releasehandle $db } else { log_error $theerror } } if { $validsession == 1 } { return "filter_ok" } else { ns_returnredirect "http://www.redhotadults.com/err/notloggedin.adp"; return "filter_return" } } -- Patrick Spence <arivenATarivenDOTcom> www.RandomRamblings.com www.Ariven.com I. To remove yourself from this list: Send a message to "[EMAIL PROTECTED]" with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
