[3526] in WWW Security List Archive
Re: Customized Queries
daemon@ATHENA.MIT.EDU (Roberto Galoppini)
Wed Nov 13 12:07:34 1996
Date: Wed, 13 Nov 1996 15:17:56 +0100
From: Roberto Galoppini <rgaloppini@tim.it>
Reply-To: rgaloppini@tim.it
To: www-security@ns2.rutgers.edu
CC: "Patrick C. Richard <patr@xcert.com> Michael Brennen" <mbrennen@fni.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Patrick C. Richard wrote:
<snip>
> Ya, PHP is good. We do this with client certs and PHP.
>
> If you want to see this working, goto https://auth.xcert.com.
>
> (You will need a client cert). It shows your username and stuff.
>
> -- Michael
Ok, I'll have a look at your site, but my concerning is about HOW
to pass this user-id.
As far as I can see I could:
* use an hidden TAG and get it back for any POST or GET action;
* use cookies where put in a NAME the user-id (eventually with the
secure param);
* use http Access Authentication.
Then I need to pass the user-id to the procedure who run my queries
(namely a PL/SQL procedure) so:
- if I use an hidden tag I should put it in the POST(or GET)'s param
list;
- if I use the http Access Authentication scheme I should get the
REMOTE_USER variable;
- if I use cookies I should get the value for that name.
Which are the differences from a Security point of view ?
