For any authentication system to work you need who the user claims to be
and secondly you need to figure out a way to verify that what he is
saying is correct. The common practice is to go for a ticket based
system. Here the user is asked for his userid and password and issued a
ticket in return - this ticket needs to be passed back to the server for
ever secure area he is accessing. The ticket is implemented either by
URL mangling or cookies. URL mangling is where you find every URL on
your page seems to have the actual URL and a million junk characters
appended to it :). Cookies on the other hand are set on the client side
with a MD5 hash so that the user cant tamper the data.
Whatever you choose the whole process is tightly coupled with what the
webserver sees I dont think you can isolate the authentication process
from the webserver safely. What you could ofcourse do is let Apache on
Linux do the authentication and send the appropriate ticket to the user
and the IIS can pick and do whatever it feels like with the mangled URL
or the cookies that the browser sends back to the server. Ofcourse dont
forget cookies need to be set for the right domain.
Mithun
PS: I just hope you are not confusing authorization with authentication.
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/linux-india-help
