[thelist] Bypassing a login

Rob Whitener rwhitener at DesignOptions.com
Tue Jan 28 11:26:15 CST 2003


That would work, but my bosses want me to craft the site such that the only
people who are allowed to save images have to be approved sales reps and
dealers of our merchanise (office furniture), but I don't want to force
people to login just to see what we have, and I also don't want to make the
site 100% dynamic because of what I think would turn into a mod_rewrite and
pathname nightmare (for spidering purposes).  So on the static pages I was
thinking about using a cookie to see if a user is logged in or not.

Thanks for the tips,

Rob

-----Original Message-----
From: David.Cantrell at Gunter.AF.mil [mailto:David.Cantrell at Gunter.AF.mil]
Sent: Tuesday, January 28, 2003 12:04 PM
To: thelist at lists.evolt.org
Subject: RE: [thelist] Bypassing a login


>Thanks for the tip, I guess that is pretty obvious isn't it.  I imagine
that
>this could also be extended to include when the user travels outside of the
>secure area to the home page or photogallery.  Set a cookie that holds the
>same info? or should I generate some new information once the user is
logged
>in to keep track of the session?

I wouldn't use a cookie. What if you just set a cookie to read
"authenticated" and then I decide to spoof it? Of course *knowing* what your
cookie is structured like without actually *having* one (because I'm not
authenticated) would be tough, but still I don't like the idea of storing
authentication information in a plain-text file on the user's machine.

ASP/ASP.NET (and CF and PHP and JSP...) have the ability to perform session
management through a simple automatic cookie which is placed and references
the session id, so the server can track session state across requests. And
it persists for 20 minutes (by default) past the user's last access to the
affected application, so they can go to other areas of the site and then
come back within that time window and still be authenticated.

-dave
--
* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !



More information about the thelist mailing list