Footnotes
- [1]
- "Secure" is a relative term. No web-based system is as secure as
a firewall, and nothing in this
document should be applied to data that must be kept confidential from
a determined cracker. On the other hand, web login can be as secure as
other username-password protocols like telnet or ftp, and
more secure than some (like POP). HTTP Digest Authentication provides
a more secure login, while SSL gives transaction-level security.
- [2]
- Other possible schemes are generally inferior, and many of those
used by novice Web developers are downright broken.
- [3]
- Valid alternatives such as a telnet session, or an X or JAVA-based
client/server system can be built onto but not into
the Web, and are excluded from this discussion.
- [4]
- In my view, such concerns are mostly unfounded, and many
are rooted in misinformation. But that's another article.
- [5]
- Although this is usual browser behaviour, it is not mandatory.
A browser might choose to remember credentials between sessions,
or to time out. This is in general no concern of the server.
- [6]
- That is in HTTP/1.0. HTTP/1.1 introduces new authentication headers
to deal with the more-secure digest authentication, but CGI/1.1 does not
actually define whether these should be made available or hidden.
- [7]
- Logout is impossible because there's no HTTP status code to clear a
browser's credentials - it can only be made to overwrite them with new ones.
Mixed access is feasible in HTTP by customising the Server, but cannot
be done in CGI.
- [8]
- Clientside scripting may be an option for some browsers, and an
alternative workaround hack is to set a cookie saying "login invalidated".
- [9]
- .htaccess is Apache's user- and directory-level configuration file.
If you use a different server, implementation details will differ -
read the manual.
- [10]
- For more on DBM authentication (including the "can't get it working"
problem that affects many users, particularly on Linux), see my articles
on the subject posted to comp.infosystems.www.servers.unix (these may
eventually be consolidated under <URL:http://www.webthing.com/tutorials/dbm.html>).
You may also be interested in the README.Apache-Auth file included with RDBM,
at <URL:http://www.webthing.com/software/rdbm>.
- [11]
- The Calendar of the WebÞing Virtual Desktop is one such application.
Every time I post an informational article (like this one) it brings me
lots of email - too much to deal with on an individual basis. And that's
excluding spam, which will usually only appear
as an entry in my filter log. So if you mail me, you might get an answer,
but then again you might not.
nick@webthing.com