perl-ldap-dev

Handling session authentication in a web app

[Tom J. <tj...@do...>]

Hey folks,

I need to put together a web application to allow people to edit
attributes I've given them access to (password resets for the help desk,
radius info for the network guys, etc).

I'm pretty clear on what I need to do between the script and the LDAP
server, but does anyone have any suggestions on how to handle session
authentication?

I'd like to have a client log in to the web app with their uid and
userPassword, and then be able to mess with stuff according to the
permissions given to their object (so the script would bind to the
directory as the user).

Any suggesions on how to manage the session? Alternately, does anyone know
of any applications like this out there that I could tweak (other than
Netscape's DSGW, which has annoyed me on many occasions).

Thanks much,

Tom Jordan
University of Wisconsin Madison

Re: Handling session authentication in a web app

[Yann R. <at...@at...>]

Well, I would do this with a relational database.  Or maybe Apache::Session?

Anyway, here is a perl module which I made awhile back. Its designed to work 
with Postgres and uses some database contraints to make sure the database is 
consistent.  I don't like my old session purging scheme, but hey, it works.
It might help you.

Yann



On Sat, 18 Nov 2000, you (Tom Jordan) might of written:
> Hey folks,
>
> I need to put together a web application to allow people to edit
> attributes I've given them access to (password resets for the help desk,
> radius info for the network guys, etc).
>
> I'm pretty clear on what I need to do between the script and the LDAP
> server, but does anyone have any suggestions on how to handle session
> authentication?
>
> I'd like to have a client log in to the web app with their uid and
> userPassword, and then be able to mess with stuff according to the
> permissions given to their object (so the script would bind to the
> directory as the user).
>
> Any suggesions on how to manage the session? Alternately, does anyone know
> of any applications like this out there that I could tweak (other than
> Netscape's DSGW, which has annoyed me on many occasions).
>
> Thanks much,
>
> Tom Jordan
> University of Wisconsin Madison

-- 

--------------------------------------------------------------------
Yann Ramin			at...@at...
Atrus Trivalie Productions	www.redshift.com/~yramin
AIM				oddatrus
Marina, CA			http://profiles.yahoo.com/theatrus

IRM Developer                   Network Toaster Developer
SNTS Developer                  KLevel Developer
Electronics Hobbyist		person who loves toys

Build a man a fire, and he's warm for a day.
Set a man on fire, and he'll be warm for the rest of his life.

"I'm prepared for all emergencies but totally unprepared for everyday
life." 
--------------------------------------------------------------------

Re: Handling session authentication in a web app

[Mark W. <mew...@un...>]

if you want to use permissions as they are stored in the LDAP server for
LDAP operations (not a bad idea because that way users have the same rights
regardless of how they interact with the LDAP server) you need to store the
DN and password so that you can keep binding to the server.

You either need to store the DN and Password in memory (only possible if
you're using mod_perl), in an ecrypted cookie (I use a DES encrypted
cookie) or in an encrypted file/database on the server.

I don't know of any application that does this in Perl. It's a little bit
easier to do this as a Java servlet because it has a default session storage
system that's unique per application invocation. You can do the same in Perl,
it just takes a bit more work.

Mark

Tom Jordan wrote:

> Hey folks,
>
> I need to put together a web application to allow people to edit
> attributes I've given them access to (password resets for the help desk,
> radius info for the network guys, etc).
>
> I'm pretty clear on what I need to do between the script and the LDAP
> server, but does anyone have any suggestions on how to handle session
> authentication?
>
> I'd like to have a client log in to the web app with their uid and
> userPassword, and then be able to mess with stuff according to the
> permissions given to their object (so the script would bind to the
> directory as the user).
>
> Any suggesions on how to manage the session? Alternately, does anyone know
> of any applications like this out there that I could tweak (other than
> Netscape's DSGW, which has annoyed me on many occasions).
>
> Thanks much,
>
> Tom Jordan
> University of Wisconsin Madison

Re: Handling session authentication in a web app

[Tom J. <tj...@do...>]

That's the conclusion I'm coming to. I'm working on storing session state
in a local database (along with encrypted username/password data).

Different question (but along the same lines):

Is there a way to test whether an attribute is writeable by the current
user? I'd like to simply display all attributes that a user has rights to
view and supply an option to edit those that may be written. Is there a
way to determine which is which short of attempting to write (and
failing)?

Thanks,
Tom

On Mon, 20 Nov 2000, Mark Wilcox wrote:

> if you want to use permissions as they are stored in the LDAP server for
> LDAP operations (not a bad idea because that way users have the same rights
> regardless of how they interact with the LDAP server) you need to store the
> DN and password so that you can keep binding to the server.
>
> You either need to store the DN and Password in memory (only possible if
> you're using mod_perl), in an ecrypted cookie (I use a DES encrypted
> cookie) or in an encrypted file/database on the server.
>
> I don't know of any application that does this in Perl. It's a little bit
> easier to do this as a Java servlet because it has a default session storage
> system that's unique per application invocation. You can do the same in Perl,
> it just takes a bit more work.
>
> Mark
>
> Tom Jordan wrote:
>
> > Hey folks,
> >
> > I need to put together a web application to allow people to edit
> > attributes I've given them access to (password resets for the help desk,
> > radius info for the network guys, etc).
> >
> > I'm pretty clear on what I need to do between the script and the LDAP
> > server, but does anyone have any suggestions on how to handle session
> > authentication?
> >
> > I'd like to have a client log in to the web app with their uid and
> > userPassword, and then be able to mess with stuff according to the
> > permissions given to their object (so the script would bind to the
> > directory as the user).
> >
> > Any suggesions on how to manage the session? Alternately, does anyone know
> > of any applications like this out there that I could tweak (other than
> > Netscape's DSGW, which has annoyed me on many occasions).
> >
> > Thanks much,
> >
> > Tom Jordan
> > University of Wisconsin Madison
>

Re: Handling session authentication in a web app

[Mark W. <mew...@un...>]

No there's not a simple way of testing permissions before attempting an operation.

Mark

Tom Jordan wrote:

> That's the conclusion I'm coming to. I'm working on storing session state
> in a local database (along with encrypted username/password data).
>
> Different question (but along the same lines):
>
> Is there a way to test whether an attribute is writeable by the current
> user? I'd like to simply display all attributes that a user has rights to
> view and supply an option to edit those that may be written. Is there a
> way to determine which is which short of attempting to write (and
> failing)?
>
> Thanks,
> Tom
>
> On Mon, 20 Nov 2000, Mark Wilcox wrote:
>
> > if you want to use permissions as they are stored in the LDAP server for
> > LDAP operations (not a bad idea because that way users have the same rights
> > regardless of how they interact with the LDAP server) you need to store the
> > DN and password so that you can keep binding to the server.
> >
> > You either need to store the DN and Password in memory (only possible if
> > you're using mod_perl), in an ecrypted cookie (I use a DES encrypted
> > cookie) or in an encrypted file/database on the server.
> >
> > I don't know of any application that does this in Perl. It's a little bit
> > easier to do this as a Java servlet because it has a default session storage
> > system that's unique per application invocation. You can do the same in Perl,
> > it just takes a bit more work.
> >
> > Mark
> >
> > Tom Jordan wrote:
> >
> > > Hey folks,
> > >
> > > I need to put together a web application to allow people to edit
> > > attributes I've given them access to (password resets for the help desk,
> > > radius info for the network guys, etc).
> > >
> > > I'm pretty clear on what I need to do between the script and the LDAP
> > > server, but does anyone have any suggestions on how to handle session
> > > authentication?
> > >
> > > I'd like to have a client log in to the web app with their uid and
> > > userPassword, and then be able to mess with stuff according to the
> > > permissions given to their object (so the script would bind to the
> > > directory as the user).
> > >
> > > Any suggesions on how to manage the session? Alternately, does anyone know
> > > of any applications like this out there that I could tweak (other than
> > > Netscape's DSGW, which has annoyed me on many occasions).
> > >
> > > Thanks much,
> > >
> > > Tom Jordan
> > > University of Wisconsin Madison
> >