Re: Anybody used htaccess in a form?
- From: "dE|_" <spambusters@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 3 Sep 2008 11:22:04 +0100
"Owen Rees" <orees@xxxxxxxxxxx> wrote in message
news:uenob4teod5ehsn8vk3ml7jgqc91q38trt@xxxxxxxxxx
On Mon, 1 Sep 2008 16:36:51 +0100, "dE|_"
<spambusters@xxxxxxxxxxxxxxxxxxxx> wrote in
<l_Tuk.137904$6s4.128929@xxxxxxxxxxxxx>:
Thank you, I will keep that noted.
You speak of HTTP authentication only being apt for a single item rather
than a session, when 'big brother' showed me how to set up htaccess on the
server it was actually only for a low budget one-page site. A page holding
a
Flash mp3 player, available to industry/invite only.
It is the other way round.
HTML pages with embedded scripts that are decrypted by the browser
protect only themselves, not any subsequently retrieved resource, unless
the page also has scripts that handle the retrieval and decoding of
other resources or at the very least has some way to pass the
authorization data to subsequently retrieved self decoding pages (and I
don't think you can protect images, video etc like that).
If you have a form where the server side processing of the action takes
authentication data from the form and then, assuming the credentials are
good, just responds with the content of a resource without doing
anything else then it is only that one resource that is protected.
The HTTP protocol authentication is typically implemented in browsers in
such a way that the browser will automatically supply the authorization
data for subsequent requests for resources from the same realm without
troubling the user for a password. The authorization data generally
persists in the browser until the user explicitly deletes it or the
server ceases to accept the credentials because the username or password
have been revoked or changed at the server.
Log-in, listen, send an email, leave. That may be why site-wide sessions
never came in to conversation.
Even in such a simple case you need to authorize multiple requests if
the resources are all protected. With the HTTP protocol mechanisms this
"just works" but only because both browser and server have been
implemented to make it so.
Most web form based authentication systems work by creating some session
authorization token and sending it back to the browser either as a
cookie or embedded in dynamically generated URLs in the returned
resources. The browser sends back the authorization data either in a
cookie or in the URL of the subsequent request without the user having
to do anything and the server then dynamically verifies the
authorization before returning each resource. Most people do not code
this for themselves, there are libraries you can use with a standard web
server or application servers and content management systems with it
already included.
....okay, thanks. You kind of lost me a couple of branches ago, but I really
apreciate your efforts here and the posts have been saved for reference.
-dE|_---
.
- References:
- Re: Anybody used htaccess in a form?
- From: dE|_
- Re: Anybody used htaccess in a form?
- From: Owen Rees
- Re: Anybody used htaccess in a form?
- Prev by Date: Re: Question about whois information
- Next by Date: Re: Chrome
- Previous by thread: Re: Anybody used htaccess in a form?
- Next by thread: Re: IE v8 beta 2
- Index(es):
Relevant Pages
|
