On Tue, 17 Oct 2000, John Saylor wrote:
> From: "Ian Frawley" <[EMAIL PROTECTED]>
> > Is it not just possible through a perl module as I am not very clued
> > up on digital certificates.
> Well, you have to have some credentials- and if it's not a cookie [bad
> idea anyway], and if it's not a username/password- what would it be?
Form based authentication. Rather than the HTTP Basic box that the browser
provides.
> You could have IP address based authentication, but this is probably
> more prone to misconfiguration and forgery than digital certificates.
Yes. You forgot proxying and cacheing.
What you also appear to have forgotten is that mod_perl provides you with
a fantastic handle - PerlTransHandler - where you can really have some fun
with the Translation.
| # some test code....
| sub handler
| {
| my $r=shift;
| my $uri=$r->uri();
| if(extract_crypto(\$uri))
| {
| # push the credentials into the notes table, or the
| # %ENV or similar at this point.
| $r->uri($uri);
| }
| return DECLINED;
This can still be cryptographically secure - requires the transmission of
username/password pair once - which can be done over https if required.
Thereafter you can do what you like to identify a session....
> How important is access control to your application? In other words,
> where is the line on how much effort you [and your users] are going to
> put into security at the expense of convenience?
I think that the usage of digicerts is not wide enough yet that the use of
them is probably an inconvenience. Plus it doesn't work if someone
physically steals the computer. :)
MBM
--
Matthew Byng-Maddick Home: <[EMAIL PROTECTED]> +44 20 8981 8633 (Home)
http://colondot.net/ Work: <[EMAIL PROTECTED]> +44 7956 613942 (Mobile)
standards n.: The principles upon which we reject other people's code.
