I'm looking for some working code that will support basic login/logout
and protect a directory or set of files from unauthorized access.
Has anyone seen or written something along these lines? It would be
much appreciated.
"Jonathon McKitrick" <···········@bigfoot.com> writes:
> I'm looking for some working code that will support basic login/logout
> and protect a directory or set of files from unauthorized access.
>
> Has anyone seen or written something along these lines? It would be
> much appreciated.
What do you mean by "basic login/logout" and where do you want to get
the authorization information from? Araneida has two methods,
AUTHENTICATE-REQUEST and AUTHORIZE-REQUEST (iirc), for doing
authentication and authorization. If you can answer the above two
questions, it's probably 20 LOC to write the auth scheme you want.
--
/|_ .-----------------------.
,' .\ / | Free Mumia Abu-Jamal! |
,--' _,' | Abolish the racist |
/ / | death penalty! |
( -. | `-----------------------'
| ) |
(`-. '--.)
`. )----'
Thomas F. Burdick wrote:
> What do you mean by "basic login/logout" and where do you want to get
> the authorization information from? Araneida has two methods,
> AUTHENTICATE-REQUEST and AUTHORIZE-REQUEST (iirc), for doing
Username and password are in a database table. I want to have a login
page with a form that will request both, and then allow/deny access to
an admin directory. Nothing fancy.
The problem is I am having terrible caching issues that would be a huge
nightmare from a security standpoint. I was hoping maybe an already
existing implementation would have dealt with these issues correctly,
since I cannot seem to find the solution myself.
On Sat, 18 Mar 2006 04:51:42 -0800, Jonathon McKitrick wrote:
> Thomas F. Burdick wrote:
>> What do you mean by "basic login/logout" and where do you want to get
>> the authorization information from? Araneida has two methods,
>> AUTHENTICATE-REQUEST and AUTHORIZE-REQUEST (iirc), for doing
>
> Username and password are in a database table. I want to have a login
> page with a form that will request both, and then allow/deny access to
> an admin directory. Nothing fancy.
>
> The problem is I am having terrible caching issues that would be a huge
> nightmare from a security standpoint. I was hoping maybe an already
> existing implementation would have dealt with these issues correctly,
> since I cannot seem to find the solution myself.
Somehow you didn't answer Thomas' question. Where do you want to _store_
the authentication state? In a cookie? Authentication with a login page
(which i personally consider stupid -- there's HTTP basic auth) needs
state/sessions. With cookies it's pretty simple: do a
(defmethod handle-request-response :before
((handler your-cool-protected-handler) method request)
....)
Unless there's a cookie you can redirect to the login page.
Iff there's a cookie, check it against the database.
HTH Ralf Mattes
R. Mattes wrote:
> Somehow you didn't answer Thomas' question. Where do you want to _store_
> the authentication state? In a cookie? Authentication with a login page
> (which i personally consider stupid -- there's HTTP basic auth) needs
> state/sessions. With cookies it's pretty simple: do a
>
> (defmethod handle-request-response :before
> ((handler your-cool-protected-handler) method request)
>
> ....)
Here's what I have. A login page that collects user/password. A
handler for the POST data from the form on this page checks for the
user/password, and return an authorization level, or 0 if none. If
authorized, I set a hash string as a cookie. What I *want* is to
direct to another page on success, redirect to the login page on
failure in addition.
When accessing the protected content, I have a
handle-request-authentication that checks the cookie. Then it should
either load the requested page OR redirect to the login page. What it
*actually* does is unpredictable. If I login, then logout, the
protected page is still in the cache. If I login with a bad password,
then login correctly, the login page is still in the cache as the
redirect, rather than the protected page. I've tried combinations of
cache settings, but to no avail.
R. Mattes wrote:
> the authentication state? In a cookie? Authentication with a login page
> (which i personally consider stupid -- there's HTTP basic auth)
Then all the websites out there must be doing it wrong by putting
custom login forms on their pages.
You know, like, oh, Google, Yahoo, Wikipedia, etc.
"Kaz Kylheku" <········@gmail.com> writes:
> R. Mattes wrote:
> > the authentication state? In a cookie? Authentication with a login page
> > (which i personally consider stupid -- there's HTTP basic auth)
>
> Then all the websites out there must be doing it wrong by putting
> custom login forms on their pages.
>
> You know, like, oh, Google, Yahoo, Wikipedia, etc.
They are doing it wrong, but not by putting the login form on a web
page -- that's good, but they tend to duplicate one of the idiocies of
HTTP authentication: only one person can be logged in using a given
browser at a given time. Ever try to check Gmail from another Gmail
user's machine? Google gets this really wrong, and the worst is that
it's not hard to get right.
--
/|_ .-----------------------.
,' .\ / | Free Mumia Abu-Jamal! |
,--' _,' | Abolish the racist |
/ / | death penalty! |
( -. | `-----------------------'
| ) |
(`-. '--.)
`. )----'
Thomas F. Burdick wrote:
> They are doing it wrong, but not by putting the login form on a web
> page -- that's good, but they tend to duplicate one of the idiocies of
> HTTP authentication: only one person can be logged in using a given
> browser at a given time. Ever try to check Gmail from another Gmail
> user's machine? Google gets this really wrong, and the worst is that
> it's not hard to get right.
Do you know of any freely available examples of how best to do this?
Lisp/Araneida would be best. :-)
I'm currently using the http-authentication demo from araneida, which
pops up a dialog and asks for a username and password. This doesn't
seem to have the cache issue I was having.
Is there a disadvantage to using this method rather than the cookie
method?