Terry Carmen wrote:
Quoting "J.Lance Wilkinson" <jlw12@xxxxxxx>: > Terry Carmen wrote: >> >> >> Quoting "J.Lance Wilkinson" <jlw12@xxxxxxx>: >> >> > I'm looking for a VERY SIMPLE single value authentication module >> (like BASIC >> > Authentication, but only a USER ID, no prompt for PASSWORD) for >> Apache 2.2.x.>> > User IDs that will be used are going to be long numeric transaction ids>> > provided by an external e-commerce site. >> >> You'll probably find it much simpler to use the standard basic auth >> mechanism, use your transaction id for the login and pass in a dummy >> password. > > Not sure how I'd "pass in a dummy password." from my HTTPD > to the user's browser. How were you planning on passing the transaction ID as the userid?
I wasn't planning on passing the transaction ID. I was planning on the user supplying the transaction ID when prompted.
If you can do one, you can do the other. >> Although I've never tried it, and it seems like a really bad idea, >> it will supposedly accept a Boolean expression, so you could try >> "Require true" or something similar. > > Agreed. Sounds like a bad idea.This was a method of accomplishing what you asked for: single-value authentication.
All I was doing here was agreeing with your comment that it seemed like a really bad idea.
>> In any case, if your transaction IDs can be predicted or >> brute-forced, this all sounds like a really bad idea. > > I guess an alternative would be to use the transaction ID as the > USER (required unique) and then use as the password the name of > the entity associated with that transaction. This sounds like a case of "I have a hammer, so these must be nails."
Actually, it was based on a non-Apache authentication scheme I recently observed in use by a separated organization within my parent University community, which issues an ID CARD with an unique identity number to Alumni, and tells them to use their last name as the "password."
What you *really* need is code that accepts whatever you want to pass in and returns whatever you're supposed to send back. This should be reasonably easy in almost any language or platform that Apache supports. (php, perl, C, CGI, etc.). I'm not sure you're actually looking for any sort of auth, since you're not actually authenticating with it.
Actually, I *AM* trying to AUTHENTICATE with it. I have a directory
that contains content that is to only be accessed by individuals who
have paid a specific fee. I want HTTPD to only offer that directory
and its content to individuals who have gotten thru the authentication.
Payment of that fee will establish a transaction id.
They would be prompted for the transaction id and, if the id supplied
is valid and has not expired, they would be granted access to the page
in question.
On further thought, my simplest method is to use BASIC AUTHENTICATION
and Require valid-user, where the "USER" is the Transaction ID, and the
"PASSWORD" is a case-specific keyword they supplied when they made the
purchase.
Transaction IDs and keywords would be stored in an (as far as HTTPD is
concerned) htpasswd file referenced by an AuthUserFile directive.
An asynchronous procedure would run the htpasswd utility to add new
entries to the file when a purchaser makes payment, and change out
their keyword "PASSWORD" when they expire. This procedure would be run
by the office that accepts Credit Card payments for the protected
materials. It would start out as a simple script that assigns
transaction ID and keyword as if they were a user id and password,
manually run by a clerk. Eventually, it would be modified to be part
of an automated ecommerce transaction. Expiration-based keyword
/password change outs would likely be done by a cron job.
I believe this sufficiently decouples the HTTPD work from the ecommerce
work so that if the ecommerce piece is not ready, we have a stopgap
procedure.
While this depends on the robustness of the HTTPD basic authentication,
I think this will be sufficient for our purposes.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@xxxxxxx
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|