> Great way to annoy users "Thank you for providing correct credentials, > but get lost anyway..." :-/ > It would probably be nicer to deny on IP address first, that way you > wouldn't expose your login forms on systems whose IP addresses you > don't want logging in for whatever reason.
Here you are assuming that there is only one set of users / ip addresses and that all users are being validated by ip address. Given the situation that there are multiple users accessing from multiple ip addresses how do you propose to authenticate someone based on their ip address if you don't know who they are? Trust me on this, this was exactly the situation that we had at the last company I worked at, multiple institutions accessing from various sets of ip addresses. We had to allow the user to enter their credentials before we could check that they were actually allowed to access the service from that ip address. We even had to deal with people from one institution accessing the service from a computer at another institution and some computers (such as those found in libraries) being allowed access with a default user from referrers or cookies set by the proxies. Also institutions used their library card numbers to access the system (hardly a unique identifier) which had to be backed up with other credentials behind the scenes to allow the user smooth access to the correct resources. We ran online reference sites that were accessed by Universities, Colleges, Libraries and Companies all over the world. Site such as http://www.oxfordreference.com/ http://www.oxfordartonline.com/ http://www.blackwellreference.com/ http://www.worldoflearning.com/ and many more. The company that I used to work for is called Semantico (http://www.semantico.com/). The situations I have described, and many more, are handled by the authentication system we built and it took a lot of time to get the various edge cases to work as you would expect. Again I say trust me, I spent seven years working on polishing the authentication system used by Semantico and the sites that used it. Authentication is ENTIRELY edge cases :) -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
