[3490] in WWW Security List Archive
Re: Customized Queries
daemon@ATHENA.MIT.EDU (Malleswar Kalla)
Thu Nov 7 18:27:46 1996
From: Malleswar Kalla <kalla@cs.iastate.edu>
To: rgaloppini@tim.it
Date: Thu, 7 Nov 1996 15:37:30 -0600 (CST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <3281D00E.7FBC@tim.it> from "Roberto Galoppini" at Nov 7, 96 01:03:26 pm
Errors-To: owner-www-security@ns2.rutgers.edu
>
> <ABSTRACT>
> I have to run a web-database application with sensitive-information on
> an Oracle Web Server and I need to distinguish the user in order to
> perform his/her queries on his/her data.
> </ABSTRACT>
>
> <AUTHENTICATION SCHEME>
> The application has an initial login procedure (it could be using
> the Oracle's security Access Control or a dedicated table) and
> then displays a home page where the user can choose from different kind
> of queries (so I need to keep the user-id through all the 'session').
> Does anybody have a clue on how to manage it ?
> </AUTHENTICATION SCHEME>
>
I assume you are suing the HTTP basic authentication scheme. That is, the
browser pops up a Login window (at least the first time) when the user tries
to access those HTML(or cgi scripts) documents. Although most browsers cache
the user's response(login-id, passwd) and use it whenever needed, the server
asks for the login-passwd, for EVERY document in that protected space. So,
every HTTP request contains the login-id, passwd. Thus, you should be able to
access the remote user login-id using the environment variable REMOTE_USER.
There should be a one-to-one mapping between the HTTP access authentication
login-id and the user name in your oracale db, using which you can access the
appropriate user documents.
> <SOLUTION?>
> So far the only 'ideas' I got are:
> 1) using a different procedure for each user, encapsulating the user-id
> in all the queries. I won't suggest it to a friend ..
I think this is what I was suggesting to you, but the user won't be giving
login-id/passwd every time. For example, Netscape asks for them only once.
> 2) using an hidden TAG where put a 'pretty long' string who represent
> the user-id (so there is a table where user-id is mapped to this string
> and, eventually, it is changed on a daily basis ..)
You need this, if you have really complicated transactions going on the Web.
Since HTTP is stateless, you can store the state of the transaction on the
server site and the state can be accessed using a handle which is sent as a
hidden variable in all transactions.
Good luck,
Malleswar Kalla.
(http://www.cs.iastate.edu/~kalla/homepage.html)
