[Mojolicious] Re: multiple authentication methods?
Anyone have any patterns they have followed in this situation? I realize that some may have objections to my implementation, but I am developing an internally-used corporate website, so I don't have leeway in the matter. I know how I *could* do this, but would be happy to hear others' thoughts on implementation first. On Thursday, August 21, 2014 9:19:28 AM UTC-4, Richard Sugg wrote: > > Perhaps it would have been better if I posed the question this way: I have > a client that cannot use the standard means of authentication, but does > support Basic authentication. What is the best way to support multiple auth > methods? > > On Wednesday, August 20, 2014 2:01:09 PM UTC-4, Richard Sugg wrote: >> >> What's the best way to handle multiple authentication methods? I normally >> have users login and create a session in the database. A user can only >> login once at a time. If they open another browser and login, their first >> session is invalidated. However, I also want to use some of the same urls >> for automated processes which might run in parallel. If a two processes try >> to authenticate and call a url, only the second process will have a valid >> session. So for automation, it makes better sense to use Basic auth and >> leave sessions to actual users. >> >> So what's the best way to handle this? Would I have to write a bridge >> that checks one method and then the other? Or is there a better way? >> > -- You received this message because you are subscribed to the Google Groups "Mojolicious" group. To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+unsubscr...@googlegroups.com. To post to this group, send email to mojolicious@googlegroups.com. Visit this group at http://groups.google.com/group/mojolicious. For more options, visit https://groups.google.com/d/optout.
[Mojolicious] Re: multiple authentication methods?
Perhaps it would have been better if I posed the question this way: I have a client that cannot use the standard means of authentication, but does support Basic authentication. What is the best way to support multiple auth methods? On Wednesday, August 20, 2014 2:01:09 PM UTC-4, Richard Sugg wrote: > > What's the best way to handle multiple authentication methods? I normally > have users login and create a session in the database. A user can only > login once at a time. If they open another browser and login, their first > session is invalidated. However, I also want to use some of the same urls > for automated processes which might run in parallel. If a two processes try > to authenticate and call a url, only the second process will have a valid > session. So for automation, it makes better sense to use Basic auth and > leave sessions to actual users. > > So what's the best way to handle this? Would I have to write a bridge that > checks one method and then the other? Or is there a better way? > -- You received this message because you are subscribed to the Google Groups "Mojolicious" group. To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+unsubscr...@googlegroups.com. To post to this group, send email to mojolicious@googlegroups.com. Visit this group at http://groups.google.com/group/mojolicious. For more options, visit https://groups.google.com/d/optout.
Re: [Mojolicious] Re: multiple authentication methods?
On Thu, Aug 21, 2014 at 7:57 AM, Jan Henning Thorsen wrote: > You could still restrict access to given resources Touche! Excellent point! I retract my comment. :) -- You received this message because you are subscribed to the Google Groups "Mojolicious" group. To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+unsubscr...@googlegroups.com. To post to this group, send email to mojolicious@googlegroups.com. Visit this group at http://groups.google.com/group/mojolicious. For more options, visit https://groups.google.com/d/optout.
Re: [Mojolicious] Re: multiple authentication methods?
Not sure what kind of paid service this is, but I still think you should be allowed to be logged in. Example: You can be logged in from as many devices that you want, using Spotify, but you can only play music from one device at a time. Not sure if there's any service that can't fall into the same category: You could still restrict access to given resources, but why would you logout the other session, just if I suddenly wanted to change my email address in my profile page, from my phone..? It's pretty annoying to log in. I would do that as rarely as possible. On Thursday, August 21, 2014 2:24:15 PM UTC+2, Stefan Adams wrote: > > > On Aug 21, 2014 7:15 AM, "Jan Henning Thorsen" > wrote: > > > > I think it's a very bad idea to only allow one login from one browser. > > What about a situation of a paid service and the license only grants the > user the ability to login from one machine, often the case because the > service provider doesn't want the paying user to share the account and > reduce the revenue owed to the service provider? > > I would agree with you, Jan, that I don't like these services either and > like the freedom and flexibility to login from multiple machines. But I can > understand the service providers' perspective to enforce non simultaneous > logins to meet the requirements of the business and not potentially lose > revenue. > -- You received this message because you are subscribed to the Google Groups "Mojolicious" group. To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+unsubscr...@googlegroups.com. To post to this group, send email to mojolicious@googlegroups.com. Visit this group at http://groups.google.com/group/mojolicious. For more options, visit https://groups.google.com/d/optout.
Re: [Mojolicious] Re: multiple authentication methods?
On Aug 21, 2014 7:15 AM, "Jan Henning Thorsen" wrote: > > I think it's a very bad idea to only allow one login from one browser. What about a situation of a paid service and the license only grants the user the ability to login from one machine, often the case because the service provider doesn't want the paying user to share the account and reduce the revenue owed to the service provider? I would agree with you, Jan, that I don't like these services either and like the freedom and flexibility to login from multiple machines. But I can understand the service providers' perspective to enforce non simultaneous logins to meet the requirements of the business and not potentially lose revenue. -- You received this message because you are subscribed to the Google Groups "Mojolicious" group. To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+unsubscr...@googlegroups.com. To post to this group, send email to mojolicious@googlegroups.com. Visit this group at http://groups.google.com/group/mojolicious. For more options, visit https://groups.google.com/d/optout.
[Mojolicious] Re: multiple authentication methods?
I think it's a very bad idea to only allow one login from one browser. I often log in to facebook, twitter, google, demo.convos.by, ..., from multiple browsers at the same time. I would probably do something like this: $c->session(uid => $user->username, sid => $session_row->id); That way you can allow multiple users being logged in at the same time from multiple devices. If something is shared across browsers, you can use the "uid" and if something is unique per browser, you can use the session row to store data. On Wednesday, August 20, 2014 8:01:09 PM UTC+2, Richard Sugg wrote: > > What's the best way to handle multiple authentication methods? I normally > have users login and create a session in the database. A user can only > login once at a time. If they open another browser and login, their first > session is invalidated. However, I also want to use some of the same urls > for automated processes which might run in parallel. If a two processes try > to authenticate and call a url, only the second process will have a valid > session. So for automation, it makes better sense to use Basic auth and > leave sessions to actual users. > > So what's the best way to handle this? Would I have to write a bridge that > checks one method and then the other? Or is there a better way? > -- You received this message because you are subscribed to the Google Groups "Mojolicious" group. To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+unsubscr...@googlegroups.com. To post to this group, send email to mojolicious@googlegroups.com. Visit this group at http://groups.google.com/group/mojolicious. For more options, visit https://groups.google.com/d/optout.