|
List Info
Thread: Authenticate "on demand"
|
|
| Authenticate "on demand" |
|
2006-03-29 15:49:16 |
I know I got this to work at one point (I can't find what I
was messing
with) but for what you're doing, it would probably be
better to ditch
basic authentication (which doesn't have anything built in
to expire
logins) and roll your own. There are two ways you can do
that. The first
(and likely hardest) would be to write a plug-in to make
basic auth do
what you want. This program needs to be multi-threaded which
rules RPG
out. You may be able to find something for Apache 2.0 on
another OS that
can be ported over.
The second way you can do this is to come up with your own
authentication scheme and make everything understand it. For
static
pages, you'd need to pull in a program via an SSI that
checks to see if
the user is logged in with a valid session or not. You'll
end up needing
to created a session id and it's easiest to store it in a
cookie. What I
did is create a file that holds session information in it.
When a
session id is generated, I put it and a timestamp in the
table (the
session ID is a GUID that I hash with some other values so
there ends up
being more in that table to I can verify the session ID
hasn't been
tampered with). Every time I need to check to see if it's
still valid,
it's a simple lookup to see if the current time is less
than the
timestamp. If not, they get redirected to the login page.
This also
makes it easy to log in and out of the site.
Matt
-----Original Message-----
From: web400-bounces midrange.com [mailto:web400-bouncesmidrange.com]
On Behalf Of cozzirpgiv.com
Sent: Wednesday, March 29, 2006 9:49 AM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Authenticate "on demand"
Got it to ask for the user id and password.
Great.
But it seems to be requiring it to be entered 3 times
before it takes
it,
but even then it still doesn't sing off the prior
sign-on user id.
:(
-BOb
-------- Original Message --------
Subject: Re: [WEB400] Authenticate "on
demand"
From: Matt.Haasthomson.com
Date: Wed, March 29, 2006 8:12 am
To: <web400midrange.com>
That looks right. I just hit a site using basic auth
that we have
and
here's the headers I got back:
HTTP/1.1 401 Authorization Required
Accept-Ranges: bytes
Content-Type: text/html; charset=ISO-8859-1
Connection: close
Date: Wed, 29 Mar 2006 14:08:20 GMT
WWW-Authenticate: Basic
realm="Customer_Service"
Server: Apache/2.0.52 (iSeries)
Content-Length: 975
I don't know if order makes any difference or not.
Matt
-----Original Message-----
From: web400-bounces+matt.haas=thomson.commidrange.com
[mailto:web400-bounces+matt.haas=thomson.commidrange.com] On
Behalf Of
Bob Cozzi
Sent: Tuesday, March 28, 2006 10:00 PM
To: 'Web Enabling the AS400 / iSeries'
Subject: Re: [WEB400] Authenticate "on
demand"
Matt,
Are you suggesting that I send something like the
following:
Status 401 Unauthorized
WWW-Authenticate: Basic realm="cPanel"
Connection: close
-Bob
-----Original Message-----
From: web400-bouncesmidrange.com
[mailto:web400-bouncesmidrange.com]
On
Behalf Of Matt.Haasthomson.com
Sent: Tuesday, March 28, 2006 3:42 PM
To: web400midrange.com
Subject: Re: [WEB400] Authenticate "on
demand"
Bob,
If you are using basic authentication, you'll need to
send an
Authenticate HTTP header to get the browser to pop up
the
authentication
dialog.
Matt
-----Original Message-----
From: web400-bouncesmidrange.com
[mailto:web400-bouncesmidrange.com]
On Behalf Of cozzirpgiv.com
Sent: Tuesday, March 28, 2006 2:01 PM
To: Web Enabling the AS400 / iSeries
Subject: [WEB400] Authenticate "on demand"
I need to have users log onto the 400 via a web page.
Got that working fine... authentication does it.
But if they sit there for more than 30 minutes, I
need to have
the
authentication expire and when they go to another
page, "force"
them
to
sign on again.
I've tried several HTTP Headers, but nothing seems
to force them
to
re-signon.
Any ideas?
-Bob Cozzi
--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list
To post a message email: WEB400midrange.com
To subscribe, unsubscribe, or change list options,
visit: htt
p://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-requestmidrange.com
Before posting, please take a moment to review the archives
at http://archive.mi
drange.com/web400.
|
|
| Authenticate "on demand" |
|
2006-03-30 13:02:22 |
If you can code in all your pages a line:
<meta http_equiv="refresh"
content="1800:URL=login">
Any screen left untouched for 1800 seconds will send the
user to the
login page.
Matt.Haasthomson.com wrote:
>I know I got this to work at one point (I can't find
what I was messing
>with) but for what you're doing, it would probably be
better to ditch
>basic authentication (which doesn't have anything built
in to expire
>logins) and roll your own. There are two ways you can do
that. The first
>(and likely hardest) would be to write a plug-in to make
basic auth do
>what you want. This program needs to be multi-threaded
which rules RPG
>out. You may be able to find something for Apache 2.0 on
another OS that
>can be ported over.
>
>The second way you can do this is to come up with your
own
>authentication scheme and make everything understand it.
For static
>pages, you'd need to pull in a program via an SSI that
checks to see if
>the user is logged in with a valid session or not.
You'll end up needing
>to created a session id and it's easiest to store it in
a cookie. What I
>did is create a file that holds session information in
it. When a
>session id is generated, I put it and a timestamp in the
table (the
>session ID is a GUID that I hash with some other values
so there ends up
>being more in that table to I can verify the session ID
hasn't been
>tampered with). Every time I need to check to see if
it's still valid,
>it's a simple lookup to see if the current time is less
than the
>timestamp. If not, they get redirected to the login
page. This also
>makes it easy to log in and out of the site.
>
>Matt
>
>-----Original Message-----
>From: web400-bouncesmidrange.com
[mailto:web400-bouncesmidrange.com]
>On Behalf Of cozzirpgiv.com
>Sent: Wednesday, March 29, 2006 9:49 AM
>To: Web Enabling the AS400 / iSeries
>Subject: Re: [WEB400] Authenticate "on
demand"
>
> Got it to ask for the user id and password.
> Great.
> But it seems to be requiring it to be entered 3 times
before it takes
>it,
> but even then it still doesn't sing off the prior
sign-on user id.
>:(
>
> -BOb
>
>
>
> -------- Original Message --------
> Subject: Re: [WEB400] Authenticate "on
demand"
> From: Matt.Haasthomson.com
> Date: Wed, March 29, 2006 8:12 am
> To: <web400midrange.com>
>
> That looks right. I just hit a site using basic
auth that we have
>and
> here's the headers I got back:
>
> HTTP/1.1 401 Authorization Required
> Accept-Ranges: bytes
> Content-Type: text/html; charset=ISO-8859-1
> Connection: close
> Date: Wed, 29 Mar 2006 14:08:20 GMT
> WWW-Authenticate: Basic
realm="Customer_Service"
> Server: Apache/2.0.52 (iSeries)
> Content-Length: 975
>
> I don't know if order makes any difference or not.
>
> Matt
>
> -----Original Message-----
> From: web400-bounces+matt.haas=thomson.commidrange.com
> [mailto:web400-bounces+matt.haas=thomson.commidrange.com] On
>Behalf Of
> Bob Cozzi
> Sent: Tuesday, March 28, 2006 10:00 PM
> To: 'Web Enabling the AS400 / iSeries'
> Subject: Re: [WEB400] Authenticate "on
demand"
>
> Matt,
> Are you suggesting that I send something like the
following:
>
> Status 401 Unauthorized
> WWW-Authenticate: Basic realm="cPanel"
> Connection: close
>
> -Bob
>
> -----Original Message-----
> From: web400-bouncesmidrange.com
>[mailto:web400-bouncesmidrange.com]
> On
> Behalf Of Matt.Haasthomson.com
> Sent: Tuesday, March 28, 2006 3:42 PM
> To: web400midrange.com
> Subject: Re: [WEB400] Authenticate "on
demand"
>
> Bob,
>
> If you are using basic authentication, you'll need
to send an
> Authenticate HTTP header to get the browser to pop
up the
>authentication
> dialog.
>
> Matt
>
> -----Original Message-----
> From: web400-bouncesmidrange.com
>[mailto:web400-bouncesmidrange.com]
> On Behalf Of cozzirpgiv.com
> Sent: Tuesday, March 28, 2006 2:01 PM
> To: Web Enabling the AS400 / iSeries
> Subject: [WEB400] Authenticate "on
demand"
>
> I need to have users log onto the 400 via a web
page.
> Got that working fine... authentication does it.
>
> But if they sit there for more than 30 minutes, I
need to have
>the
> authentication expire and when they go to another
page, "force"
>them
> to
> sign on again.
>
> I've tried several HTTP Headers, but nothing
seems to force them
>to
> re-signon.
>
> Any ideas?
>
> -Bob Cozzi
>
>
>
--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list
To post a message email: WEB400midrange.com
To subscribe, unsubscribe, or change list options,
visit: htt
p://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-requestmidrange.com
Before posting, please take a moment to review the archives
at http://archive.mi
drange.com/web400.
|
|
| Authenticate "on demand" |
|
2006-03-30 17:01:33 |
Apparently this is just hiding the content not actually
signing them off.
>From what I've ready, to log people off and force a new
signon, you have to
actually sign on as a lower-authority user and then route
them to the
secured page. They'll be prompted by the server
automatically. Or you can
sign them off and then issue your own Status 401 message
with the
www-authenticate header.
Now I just have to go on an archeological dig to find the
syntax to silently
log on via a hyperlink.
-Bob
-----Original Message-----
From: web400-bouncesmidrange.com [mailto:web400-bouncesmidrange.com] On
Behalf Of Raul A. Jager W.
Sent: Thursday, March 30, 2006 7:02 AM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Authenticate "on demand"
If you can code in all your pages a line:
<meta http_equiv="refresh"
content="1800:URL=login">
Any screen left untouched for 1800 seconds will send the
user to the
login page.
Matt.Haasthomson.com wrote:
--
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list
To post a message email: WEB400midrange.com
To subscribe, unsubscribe, or change list options,
visit: htt
p://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-requestmidrange.com
Before posting, please take a moment to review the archives
at http://archive.mi
drange.com/web400.
|
|
[1-3]
|
|