From owner-freebsd-config Thu Feb 5 20:48:28 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA25017 for config-outgoing; Thu, 5 Feb 1998 20:48:28 -0800 (PST) (envelope-from owner-config) Received: from obiwan.creative.net.au (obiwan.creative.net.au [203.56.168.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA24935 for ; Thu, 5 Feb 1998 20:47:55 -0800 (PST) (envelope-from adrian@obiwan.creative.net.au) Received: from localhost (adrian@localhost) by obiwan.creative.net.au (8.8.8/8.8.5) with SMTP id MAA01082; Fri, 6 Feb 1998 12:47:35 +0800 (WST) Date: Fri, 6 Feb 1998 12:47:35 +0800 (WST) From: Adrian Chadd To: Andrew McNaughton cc: freebsd-config@freebsd.org Subject: RE: WebAdmin In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-config@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 6 Feb 1998, Andrew McNaughton wrote: > > [Adrian] > >Depends. > > ? > > > >I've written a couple of web-based SQL databases, and I have been able > >to sucessfully encode enough state into the webpages themselves to make > >the databases useable and stable. > > I'm new to FreeBSD, but I've spent the past year doing CGI programming, > including a system for administering a database of users (not users in the > sense of being in /etc/passwd though). > > The first time I wrote an authentication system, I used a hidden session > key as suggested above. > > It's messy, mostly because it gets lost any time the user visits a static > page as tends to happen when they go to look at some documentation. If > users are encouraged (or even allowed) to back up using the browser's back > button, then problems occur with form data being resubmitted in order to > view a page again. It's somewhat browser dependent. To prevent this, > session keys should probably be changed whenever data is submitted, though > I haven't yet implemented this. > I like the mini-httpd idea for implementing some form of state in HTTP 1.0 .. The thing is the only pages with HIDDEN tags would be cgi-generated pages. If someone bookmarked, say .. the modify page where you modify the information for a particular user, then the cgi would notice it didn't have any name/value tags passed to it, and would either show an error or (what I prefer) the page that called it. You know you can get the username called from a HTTP authentication session from the CGI's environment? I implemented login/passwords this way, and I never had a problem with caching pages with hidden tags, usernames, etc. In fact the biggest problem I had was getting people to kill their browsers when they walked away, since the browser caches the Authentication username/password :P Adrian