[thesite] new authentication ideas for evolt
Warden, Matt
mwarden at odyssey-design.com
Fri May 18 23:49:12 CDT 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
kick-ass-hard-core-evolters-on-thesite,
> the solution is pretty much a passport.com site just for evolt
> sites. example: i go to dan.evolt.org, the login form there goes
> to a
> centralized place, login.evolt.org for example. i enter my username
> and password, and the form submits to login.evolt.org..
> login.evolt.org does a lookup on the info that got sent, checks it
> against our main DB, and if i'm a registered member, it sets a
> cookie for the *.evolt.org domain and redirects me back to the
> dan.evolt.org site. dan.evolt.org then checks for an *.evolt.org
> cookie, and if i have it, authenticates me. other info like
> username and userid could be put in this cookie as well. this is a
> good thing because we're not tied down to one language
> anymore. if dan.evolt.org runs python, i just code that page to
> check for the *.evolt.org cookie.
...
> this could be a really good thing IMO. props to matt for suggesting
> it :)
Well, yeah... this is besically what I had in mind. But, I didn't
suggest the exact solution above for two reasons (that are actually
really only one reason, but whatever):
1. "Foreign keys" of a user id can't be enforced
2. There doesn't seem to be a way to stop Joe User from sending a
cookie header with his PerlSkript that just said he was userid
1230293774.
Actually, what I had originally suggested was a signup.evolt.org or
join.evolt.org or allyourinfoarebelongtous.evolt.org which would be
our current "Join" page. However, it would insert into the user table
in multiple datasources (one for weo's, one for feo's, etc.). And
each subsite's "Join" link would go to signup.evolt.org passing a
styleid which would be used to keep the colors and style the same as
the subsite from which the user originated. Basically, it would use
weo.css if the styleid was "weo", feo.css if the styleid was "feo",
etc.
The login stuff was something separate. I had originally thought I
was going to authenticate feo through weo's login handler (so i could
use weo's user table) and have that handler redirect to the feo url.
Somewhere in my conversations with dan I managed to mush these
altogether and I'm actually quite surprised he came out of it
understanding WTF I was talking about. Way to go, dan!
if now()=bedtime then
--
mattwarden
mattwarden.com
end if
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOwX7UXgH0dUmEhrcEQI4tACgpSSZvRalmbOD0D+QovS7MrNB0fYAoKV6
Z5CFKZKz92+Ud3do/W8XV+rL
=a9Ks
-----END PGP SIGNATURE-----
More information about the thesite
mailing list