Hi Mark -- >Thanks for the feedback Jesse. That's very useful. I have another >question related to this paradigm. When handling authentication through >Apache, does this always have to be done with the browser pop-up boxes, >like .htaccess?
Absolutely not. I only use Auth* handlers which allow me to use login applications with HTML forms. Our internally-created Auth* handlers all function using HTML forms. The "pop-up box" you describe is really a feature of which is called "Basic-Auth". Every web browser has, built into it, a special function which puts a dialog in front of the user into which they are expected to input their login credentials. This is invoked when you send a particular "result code" HTTP header to the web browser. In Basic-Auth, when a user submits their credentials, the web browser automatically sends the supplied username and password back to the web server on *every* request, in the HTTP header. Your Auth* module is responsible for validating that username and password on *every request*. Besides the counter-intuitive nature of these login dialog boxes, this architecture creates two problems. First, there is the performance issue of validating every request for authenticity. It is better, from a run-time performance point of view, to issue a special token (often referred to as a "Session ID" cookie) which caches the validity of an authentication transaction. Second, there is the security issue of passing the username and password (essentially, in clear text) on every request. Short of SSL-encrypting every request to your web server, there is no easy way to protect this type of authentication from snooping. It is far easier to SSL-encrypt a login process, and allow all other transactions to be "in the clear". One clarification regarding ".htaccess" -- This file is not synonymous with Basic-Auth. The ".htaccess" files are simply a conventional way to easily supply per-directory configuration. through this mechanism, you could have different security levels. consider: /htdocs/.htaccess: require valid-user /htdocs/membersonly/.htaccess: require group member /htdocs/admin/.htaccess: require group admin If you write your own Auth* handler (or use any popular one) you can read the configuration supplied via the ".htaccess" files to configure *your* Auth* system! You can do this even if you use HTML form-based login (instead of Basic-Auth). In fact, if you write your own Auth* module I strongly encourage you to use the ".htaccess" files as a mechanism for configuring your security! It is a widely understood convention which will make it much easier for people to understand how to use your handler. Out of curiosity: How many people here would be interested if I were to release some version of my Auth* modules to CPAN? I'm not very familiar with most of the 50 or so Auth* modules already there -- is this something which would be of value to many people, or only a couple? TTYL, -Jesse- --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/cgiapp@lists.vm.com/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
