[3480] in WWW Security List Archive
Customized Queries
daemon@ATHENA.MIT.EDU (Roberto Galoppini)
Thu Nov 7 09:45:41 1996
Date: Thu, 07 Nov 1996 13:03:26 +0100
From: Roberto Galoppini <rgaloppini@tim.it>
Reply-To: rgaloppini@tim.it
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
<ABSTRACT>
I have to run a web-database application with sensitive-information on
an Oracle Web Server and I need to distinguish the user in order to
perform his/her queries on his/her data.
</ABSTRACT>
<AUTHENTICATION SCHEME>
The application has an initial login procedure (it could be using
the Oracle's security Access Control or a dedicated table) and
then displays a home page where the user can choose from different kind
of queries (so I need to keep the user-id through all the 'session').
Does anybody have a clue on how to manage it ?
</AUTHENTICATION SCHEME>
<SOLUTION?>
So far the only 'ideas' I got are:
1) using a different procedure for each user, encapsulating the user-id
in all the queries. I won't suggest it to a friend ..
2) using an hidden TAG where put a 'pretty long' string who represent
the user-id (so there is a table where user-id is mapped to this string
and, eventually, it is changed on a daily basis ..)
</SOLUTION?>
Thanks in advance,
Roberto Galoppini
rgaloppini@tim.it
"Even paranoids have enemies"
