[1988] in WWW Security List Archive
[summary]An accounting question...
daemon@ATHENA.MIT.EDU (Chih-Hung Feng (791018))
Mon May 6 01:34:15 1996
From: chfeng@iiidns.iii.org.tw (Chih-Hung Feng (791018))
To: www-security@ns2.rutgers.edu (www security)
Date: Mon, 6 May 1996 10:36:56 +0800 (CST)
Cc: darmar@superonline.com
Errors-To: owner-www-security@ns2.rutgers.edu
Dear all:
Couple of days ago I posted a billing question related a info provider
providing on-line info access and charging the users on a per-access basis.
Since a few netters expressed their interests, too, so here is the summary
of the various reponses I've got. First allow me to re-draw the whole
picture:
A few news publishers here were thinking about publishing their news
database through WWW interface. Users can use terms/index/author-names to
query and read articles. These articles are NOT fixed html documents, they
are some query results generated by a DB gateway (it played a role like
CGI, only much more complicated). The scheme is like this:
WWW DB
Server ----- Gateway ----+--- news publisher A
|
+--- news publisher B
|
+... etc
The problems they are facing are: 1). the users should login to the
system before retriving documents. 2). the users should be charged with
those pieces of information (generated through DB gateway). As I said
before, scenario 1) isn't actually a problem. However, ordinary WWW logging
facility cannot apply to the second scenario, and some http document access
mechanism (e.g. .htaccess) cannot put those info under protection, either.
So they have to work out a new reliable accounting mechanism.
The followings are summarized from the reponses I've received:
1) (Olivier Grange-Labat <grange@grolier.fr>)
Netscape Publishing System was designed for this.
=> After browsing Netscape's home page, I found out this system can
exactly fulfill the requirements (except a few minor coding jobs).
However... it looked like an overkill to me. :-)
2) (Jody C Patilla <jcp@tis.com>)
IBM's infomarket service and their new Cryptolope package can do this,
too. Check out http://www.infomkt.ibm.com.
=> I'm not sure about this, I failed to download Cryptolope software
due to the slow link.
3) (incorporated idea, comments from amresh@pcsbom.patni.com,
pzee@alto.express.com, and crowley@gradient.cis.upenn.edu)
A session manager (or a status keeper, whatever...) should be
implemented for this purpose. The engine should be capable of:
access control -- control who can access which
session management -- keep the status of each session (so we can know
which request is from which user, has it authenticated already,
is it expired, etc.)
This engine can be integrated with web server, or be implemented outside
the server (I suspect integration with the server, through some API like
netscape's NSAPI, will be a lot easier, and neater). A few netters had
successfully implemented this kind of session manager, using perl, c, or
Java, and the web sites are actually up and running now.
There are other useful ideas, but either they cannot fulfill the entire
requirement, or I accidently deleted the letters (just turned from elm to
Eudora, thinking about going back to UNIX again). I want to thank all which
sent reply to me. You've been very helpful.
Appreciatively
Chih-Hung Feng <chfeng@iii.org.tw>
