[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Authentication in CGIs via PAM



Ingo Luetkebohle <ingo@devconsult.de> writes:

> On Tue, Dec 21, 1999 at 08:59:29AM -0500, William M. Perry wrote:
> > Because none of the PAM authentication modules for apache (and other
> > servers like POP3 and some IMAP servers) and fundamentally broken if you
> > try to use anything but username/password combinations.
> 
> I see your point. Ok, in that case, it gets complicated when you want to
> do it in a module.
> 
> btw, in the case of HTTP (and thus Apache), its a fundamental restriction
> of the protocol.

Yup, we knew not what we were doing back in 1992/1993 :)  Forgive us our
trespasses.

The best that you can reasonably do for HTTP (without doing something
incredibly stupid like MS did for their NTLM authentication in requiring
HTTP keep-alives and assuming that the same connection will be used by the
same user, which is not necessarily true in proxying cases) is to convert
the PAM stuff into a form-based 'entry screen', and remember the URL and
any data the user really wanted to get to and do a redirect when they
finish.

Not exactly an ideal situation, but doable.

> It might be interesting to discuss a way that could be changed -- has
> anyone developed a good authentication procedure for stateless protocols?

There needs to be an artificial way to impose state on the protocol.
Either using SSL sessions that will be resumed (although this has problems
with idiot programs like IE that renegotiate every 2 minutes whether the
session has expired on the server or not) or HTTP cookies.  Neither of
which is guaranteed to work on all browsers and user configurations.

Isn't the web just GRAND?

-Bill P.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []