[3523] in WWW Security List Archive
Re: Customized Queries
daemon@ATHENA.MIT.EDU (Patrick C. Richard)
Wed Nov 13 08:07:17 1996
Date: Wed, 13 Nov 1996 01:02:53 -0800 (PST)
From: "Patrick C. Richard" <patr@xcert.com>
To: Michael Brennen <mbrennen@fni.com>
cc: Roberto Galoppini <rgaloppini@tim.it>, www-security@ns2.rutgers.edu
In-Reply-To: <Pine.LNX.3.95.961107131046.18166M-100000@ns1.fni.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 7 Nov 1996, Michael Brennen wrote:
> Date: Thu, 7 Nov 1996 13:13:28 -0600 (CST)
> From: Michael Brennen <mbrennen@fni.com>
> To: Roberto Galoppini <rgaloppini@tim.it>
> Cc: www-security@ns2.rutgers.edu
> Subject: Re: Customized Queries
>
>
> You may be able to drive some of this with PHP and create the pages
> dynamically based on a user ID tag that gets passed along from the initial
> login page. You can learn more about PHP at http://www.vex.net/php/.
>
Ya, PHP is good. We do this with client certs and PHP.
If you want to see this working, goto https://auth.xcert.com.
(You will need a client cert). It shows your username and stuff.
> -- Michael
>
> On Thu, 7 Nov 1996, Roberto Galoppini wrote:
>
> > <ABSTRACT>
> > I have to run a web-database application with sensitive-information on
> > an Oracle Web Server and I need to distinguish the user in order to
> > perform his/her queries on his/her data.
> > </ABSTRACT>
> >
> > <AUTHENTICATION SCHEME>
> > The application has an initial login procedure (it could be using
> > the Oracle's security Access Control or a dedicated table) and
> > then displays a home page where the user can choose from different kind
> > of queries (so I need to keep the user-id through all the 'session').
> > Does anybody have a clue on how to manage it ?
> > </AUTHENTICATION SCHEME>
> >
> > <SOLUTION?>
> > So far the only 'ideas' I got are:
> > 1) using a different procedure for each user, encapsulating the user-id
> > in all the queries. I won't suggest it to a friend ..
> > 2) using an hidden TAG where put a 'pretty long' string who represent
> > the user-id (so there is a table where user-id is mapped to this string
> > and, eventually, it is changed on a daily basis ..)
> > </SOLUTION?>
> >
> > Thanks in advance,
> > Roberto Galoppini
> > rgaloppini@tim.it
> > "Even paranoids have enemies"
> >
>
