Re: Newbie Question - Maintaining User Authenication Through Multiple Scripts

Is there some reason why you are doing your own authentication instead of using the Basic authentication offered by Apache, Internet Information Server, Oracle Application Server, and most other web servers?

If you were using Apache's Basic authentication then you would not need even to worry about this matter. There are also numerous third party authentication/encryption packages. I used to use Entrust from Canada. It also does your work for you, and goes well beyond the basic authentication offered by Apache.

Comment on Re: Newbie Question - Maintaining User Authenication Through Multiple Scripts

Replies are listed 'Best First'.
Re: Re: Newbie Question - Maintaining User Authenication Through Multiple Scripts by mamut (Sexton) on Jun 25, 2001 at 19:05 UTC
But there is somre problems when user tries logout whe you use basic auth. you must send them autorization fail, user must click cancel ... best way is send cookie to user with timestamp and unique sessionID and store session in some database on your side or directly in file system (own choice):-) after each request read cookie update timestamp in cookie and timestamp in DB for sessionID. that system have some problems. 1. you need garbage collector process or module to clear timeouted sessions :-) 2. lots of space when time out is short :-)	[reply]
Re: Re: Re: Newbie Question - Maintaining User Authenication Through Multiple Scripts by sierrathedog04 (Hermit) on Jun 25, 2001 at 19:18 UTC
I am not sure what that means. Yes, if a user tries to login using BASIC authentication and then changes her mind she will have to hit the cancel button on the login prompt. I cannot see that as a problem. Roll-your-own authentication with cookies frightens me. For one thing, there are security implications. If you are not careful then a clever user could read his own cookie and possibly modify it to become someone else. This whole endeavor seems like a reinventing a wheel when you could borrow a bicycle. Use built-in authentication (usually BASIC auth on Apache) unless there is some reason not to. Especially when the person who is rolling his own authentication calls himself a "newbie." Don't ask sixth graders to perform surgery on themselves, and don't ask newbies to write their own authentication modules.	[reply]