Re: WWW-Authentication and Postgresql

On 26 Dec 2001, Andrew McMillan wrote:

> On Wed, 2001-12-26 at 12:24, Stephan Borg wrote:
> > Hello there,
> >
> > I'm hoping that someone has tried this already. I am currently trying to
> > write code, that prompts the user with a www-authentication logon and
> > proceeds to verify if the credentials are a valid Postgresql user (incl
> > password) before proceeding.
>
> We have code to do this in the office somewhere. It isn't hard. Follow
> the PHP examples and try a connect to the database with the credentials
> you have got from the auth.
>
> I don't actually do this for any of my sites, however. I find that
> database user != system user in 99.9% of cases. In addition I find that
> the www-authentication method makes for a crude login process.
>
> E-mail me off-list if you can't figure it out and I will dig out the
> code for you.

A couple of quick gotchas. 1) make sure you filter out all unwanted
characters so someone can't execute sql calls inside of a username or
password. 2) On failure make sure you send a 401 to the browser just
like you do initially when asking for the password to clear out the
old one - you can also use this to handle logouts.

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
56K Nationwide Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================