> There are two problems I can think of with this scheme-
> 1) you need to keep an extra daemon running to manage the cookies
> 2) because the cookie is just a random string if someone out there
> manages to steal it using a hole in the various web browsers out
> there, that person can have the same access as the real individual.
You're right, we have an extra daemon, though it wouldn't have to be coded
this way. Of course, we have a daemon on the web server, which is fairly
fast, and I don't have to compile the Kerberos libraries into a web server
module. (Saves me at least 1MB per process for libraries that aren't
shared of RAM, and when I'm running 60-100 httpsd processes, that's a
significant savings.) It also reduces calls to the local kerberos
servers, which at the University of Michigan, at least, are overloaded.
(Upgrades on the way, I'm told.)
The cookie isn't as portable as it seems, though. Which is to say, it's
just as susceptible to stealing as your cookies are. I also do IP
checking on the host that asked for the cookie to make sure that that
doesn't change.
<method details snipped>
> Access to directories is controlled via .htaccess entries - here's a
> sample:
>
> UseUMDKrbAuth on
> AuthType Basic
> AuthName GLUE.UMD.EDU
>
> <limit get post>
> require valid-user
> require user bart
> require user marge lisa
> require group staff
> </limit>
I like this idea. In fact, we're using something VERY similar right now.
But, this idea breaks down if you want successively more restricted
directories (like afs ACLs), because the ONLY .htaccess file that makes
any difference in terms of authorization is the last one in the tree.
Which means that I can't limit a directory, and then further limit a
subdirectory (dependent on the parent limitations). I played with this
for about a week, trying to get it to do what I want, and the data
structures that the web server uses to store this data would have to be
written from httpd_core.c out to make it work the way I wanted it to.
All the coding I did was for Stronghold, but I verified that Netscape
Enterprise and Netscape Commerce servers actually work the same way.
~~~~
[EMAIL PROTECTED] UofM/ITD Web Services
535 W. William; AA, MI University of Michigan Webmaster
Sony. Because Caucasians are just too damn tall. (Crazy People)
