Date: Fri, 6 Feb 1998 12:47:35 +0800 (WST) From: Adrian Chadd <adrian@obiwan.creative.net.au> To: Andrew McNaughton <andrew@squiz.co.nz> Cc: freebsd-config@freebsd.org Subject: RE: WebAdmin Message-ID: <Pine.BSF.3.95q.980206124336.1041B-100000@obiwan.creative.net.au> In-Reply-To: <v02120d00b0ff5030c15f@[203.96.56.128]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 6 Feb 1998, Andrew McNaughton wrote: > > [Adrian] > >Depends. > ><INPUT TYPE="HIDDEN"> ? > > > >I've written a couple of web-based SQL databases, and I have been able > >to sucessfully encode enough state into the webpages themselves to make > >the databases useable and stable. > > I'm new to FreeBSD, but I've spent the past year doing CGI programming, > including a system for administering a database of users (not users in the > sense of being in /etc/passwd though). > > The first time I wrote an authentication system, I used a hidden session > key as suggested above. > > It's messy, mostly because it gets lost any time the user visits a static > page as tends to happen when they go to look at some documentation. If > users are encouraged (or even allowed) to back up using the browser's back > button, then problems occur with form data being resubmitted in order to > view a page again. It's somewhat browser dependent. To prevent this, > session keys should probably be changed whenever data is submitted, though > I haven't yet implemented this. > I like the mini-httpd idea for implementing some form of state in HTTP 1.0 .. The thing is the only pages with HIDDEN tags would be cgi-generated pages. If someone bookmarked, say .. the modify page where you modify the information for a particular user, then the cgi would notice it didn't have any name/value tags passed to it, and would either show an error or (what I prefer) the page that called it. You know you can get the username called from a HTTP authentication session from the CGI's environment? I implemented login/passwords this way, and I never had a problem with caching pages with hidden tags, usernames, etc. In fact the biggest problem I had was getting people to kill their browsers when they walked away, since the browser caches the Authentication username/password :P Adrian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.980206124336.1041B-100000>