web client authentication via cgi script
[1/5] from: jjmmes::yahoo::es at: 31-Jul-2003 17:30
Hi, Has anybody put together REBOL code that authenticates browser clients and allows for stateless navigation via cookies ? FYI, there is an excellent paper on this very topic that also outlines how vulnerable many sites are --> Dos and don'ts of client authentication on the web at http://cookies.lcs.mit.edu Regards jose
[2/5] from: andrew:martin:colenso:school at: 1-Aug-2003 8:10
> Has anybody put together REBOL code that authenticates browser clients
[3/5] from: SunandaDH:aol at: 31-Jul-2003 16:17
> Has anybody put together REBOL code that authenticates > browser clients and allows for stateless navigation > via cookies ?
Exactly what I'm working on at the moment! Once a user has logged on and identified themselves, I'm using a cookie to know who they are, and serve them appropriate content. I'm still working basically stateless as I don't need any context other than their identifying cookie. That article was very useful -- essentially confirmed that I'd thought through all the security issues and dreamt up something that should work. Thanks! Sunanda.
[4/5] from: jjmmes:yah:oo:es at: 1-Aug-2003 10:14
Hi Sunanda, Can you share the code ? I don't want to reinvent the wheel. Thanks Jose --- [SunandaDH--aol--com] escribió: > Jose:
[5/5] from: jjmmes:yah:oo:es at: 1-Aug-2003 10:11
> I'm puzzled. I thought the web and navigating > through links to web pages > was inherently stateless?
Yes, HTTP is stateless. What I meant is that you can: 1) authenticate and mantain server state: authenticate a user and then have a session id or 2) authenticate and do not mantain server state: you can put the necessary info in the cookie (authenticator info) and track the user this way I'm looking for approach 2, which is more scalable.