Re: [Phplib-users] Basic authentication
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Basic authentication
|
From: Kevin F. <fre...@ip...> - 2002-02-04 15:29:08
|
We actually ran into this problem. If the page content is dynamic or new content AOL users will request the page one or more times. Once for the browser, second time for the proxy system, and a third for the AOL spider. To overcome this problem we added a trust value to our authentication system. If the request for a restricted page or application comes in, the IP address is checked against the current session data. If there is a mismatch the current request is treated as not trusted. No password changes, no submitting of forms, etc. If they do match then the session is treated as trusted and the user can access the Web site functions. This same method could be used to detect more then one login from one or more computers to the same account. We have been using a version of this type of authentication system for about 4-5 years. We currently support about 15,000 users on-campus and off-campus via AOL, @Home, UUNET, AT&T Worldnet, and a number of other local and national ISPs BTW: This also gets you out of having to ask the user to closes AOL or another ISPs custom browser and used the installed IE or Netscape to access your site. On HTTP connections AOL users are: AOL Spider: spider-*.proxy.aol.com 152.163.195.208 AOL Cache: cache-*.proxy.aol.com 64.12.96.166 AOL User: *.ipt.aol.com 172.131.132.99 On HTTPS connections AOL users area: AOL Spider: spider-*.proxy.aol.com 152.163.195.208 AOL User: *.ipt.aol.com 172.131.132.99 Kevin Fredrick Software Technician Walter E. Helmke Library Indiana University - Purdue University Fort Wayne 260-481-5445 http://www.lib.ipfw.edu/ >>> Michael Chaney <mdc...@mi...> 02/02/02 02:11PM >>> On Fri, Feb 01, 2002 at 02:02:30PM -0500, Kevin Fredrick wrote: > I would say that you use the IP address of the user coming from A to B > and some secret known only to A and B to encrypt the data and append > it > to the URL. Forget the IP address, a shared secret is fine if the encryption is good. > When you get the forwarded link from A the users "should" > still be using the same IP address. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Sorry to be so blunt, but this is absolutely wrong, and I want to save someone the time of going down this road only to have to redo their code when the find it doesn't work. Many large ISP's, AOL among them, run all port 80 traffic through a proxy farm. The IP address of the request rarely remains consistent across page views. Here's an example of me surfing my site through AOL: 64.12.96.166 - - [02/Feb/2002:12:58:45 -0600] "GET /services.php3 HTTP/1.0" 200 5479 64.12.96.78 - - [02/Feb/2002:12:58:49 -0600] "GET /contact.php3 HTTP/1.0" 200 5822 64.12.96.103 - - [02/Feb/2002:13:01:12 -0600] "GET /aboutus.php3 HTTP/1.0" 200 6511 Name: cache-mtc-ah01.proxy.aol.com Address: 64.12.96.166 Name: cache-mtc-ac09.proxy.aol.com Address: 64.12.96.78 Name: cache-mtc-af02.proxy.aol.com Address: 64.12.96.103 Michael -- Michael Darrin Chaney mdc...@mi... http://www.michaelchaney.com/ _______________________________________________ Phplib-users mailing list Php...@li... https://lists.sourceforge.net/lists/listinfo/phplib-users |
