On Wed, 16 Jan 2002, Paul Lindner wrote:
On Wed, Jan 16, 2002 at 06:56:37PM -0500, Vsevolod Ilyushchenko wrote:
3) Perl-based applications can just use the module and the common key
to decrypt the contents of the cookie to find the authenticated
username. If the cookie is not
No. There are very important reasons why Apache by default puts an ACL
restricting .ht* from being viewable. (Basically, the password encryption
used in said file is moderately easily cracked via brute force.)
One could use a file distributed using rsync(1) or some such (preferably
with
On Wed, 16 Jan 2002, Medi Montaseri wrote:
I think Netegrity single sing-on system modifies the HTTP server
(possible with mod_perl) to overload or override its native
authoentication and instead contact a Host, Database or LDAP to get
the yes or no along with expiration data it then
On Thu, 17 Jan 2002, Gunther Birznieks wrote:
Of course, the best authentication system for banking I've seen is
from UBS. They send you a scratchlist of around 100 numbers. Every
time you login you use one of the numbers and cross it off. Very
slick.
Does that really work in practice?
On Wed, 16 Jan 2002, Mark Maunder wrote:
The only way I could come up with, was to have the browser redirected
to every domain name with an encrypted uri variable to prove it is
signed on which causes each host included in the single sign on to
assign an auth cookie to the browser.
Instead
Of course, the best authentication system for banking I've seen is
from UBS. They send you a scratchlist of around 100 numbers. Every
time you login you use one of the numbers and cross it off. Very
slick.
Does that really work in practice? That sounds really annoying. Is this for
I hadn't really taken a look at personal certificates until this thread
came up. It looks like thawte is offering personal certificates at no
charge.
http://www.thawte.com/getinfo/products/personal/contents.html
Yep, and the society I work in develops a GPLed PKI, which is a
At 9:06 PM + 1/16/02, Mark Maunder wrote:
That's cool, but any ideas on how to do this with different domain names i.e.
foo.com, bar.com, baz.com and boo.com? You can't create cookies for the .com
domain, so there's no way to hand out auth cookies from foo.com (when the user
logs into
Vsevolod Ilyushchenko wrote:
Yes, but I still should be able to propely handle people who go to any of
the protected sites first thing in the morning. I don't think I can get
away with only exit-point authentication that you propose. If the
entrance-point authentication works well, there
3) Perl-based applications can just use the module and the common key
to decrypt the contents of the cookie to find the authenticated
username. If the cookie is not present redirect to the central
authentication page, passing in the URL to return to after
authentication.
On Wed, Jan 16, 2002 at 06:56:37PM -0500, Vsevolod Ilyushchenko wrote:
3) Perl-based applications can just use the module and the common key
to decrypt the contents of the cookie to find the authenticated
username. If the cookie is not present redirect to the central
Daniel Little wrote:
From: Mark Maunder [mailto:[EMAIL PROTECTED]]
Here's one idea that worked for me in one application:
1) assume that all hosts share the same domain suffix:
www.foo.com
www.eng.foo.com
www.hr.foo.com
2) Define a common
I think Netegrity single sing-on system modifies the HTTP server (possible
with mod_perl)
to overload or override its native authoentication and instead contact
a Host, Database or
LDAP to get the yes or no along with expiration data it then sends
its finding to the CGI
by sending additonal
I wonder if one could change the HTTP Server's behavior to process a
distributed version of "AuthUserFile" and "AuthGroupFile".
That instead of
AuthUserFile "/some/secure/directory/.htpasswd
One would say
AuthUserFile "http://xyz.com/some/directory/htpasswd"
Then write a GUI (web) inteface to
Of course, the best authentication system for banking I've seen is
from UBS. They send you a scratchlist of around 100 numbers. Every
time you login you use one of the numbers and cross it off. Very
slick.
Does that really work in practice? That sounds really annoying. Is this for
business
I hadn't really taken a look at personal certificates until this thread
came up. It looks like thawte is offering personal certificates at no
charge.
http://www.thawte.com/getinfo/products/personal/contents.html
This would make it a more likely method since lots of site
traffic wouldn't want
Hello,
PLOf course, the best authentication system for banking I've seen is
PLfrom UBS. They send you a scratchlist of around 100 numbers. Every
PLtime you login you use one of the numbers and cross it off. Very
PLslick.
GBDoes that really work in practice? That sounds really annoying. Is this
17 matches
Mail list logo