[3544] in WWW Security List Archive
Re: Customized Queries
daemon@ATHENA.MIT.EDU (Patrick C. Richard)
Thu Nov 14 21:35:54 1996
Date: Thu, 14 Nov 1996 16:08:44 -0800 (PST)
From: "Patrick C. Richard" <patr@xcert.com>
To: Roberto Galoppini <rgaloppini@tim.it>
cc: www-security@ns2.rutgers.edu,
"Patrick C. Richard <patr@xcert.com> Michael Brennen" <mbrennen@fni.com>
In-Reply-To: <3289D894.36F2@tim.it>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 13 Nov 1996, Roberto Galoppini wrote:
> Date: Wed, 13 Nov 1996 15:17:56 +0100
> From: Roberto Galoppini <rgaloppini@tim.it>
> To: www-security@ns2.rutgers.edu
> Cc: "Patrick C. Richard <patr@xcert.com> Michael Brennen"
<mbrennen@fni.com>
> Subject: Re: Customized Queries
>
> Patrick C. Richard wrote:
> <snip>
>
> > Ya, PHP is good. We do this with client certs and PHP.
> >
> > If you want to see this working, goto https://auth.xcert.com.
> >
> > (You will need a client cert). It shows your username and stuff.
> >
> > -- Michael
>
> Ok, I'll have a look at your site, but my concerning is about HOW
> to pass this user-id.
> As far as I can see I could:
> * use an hidden TAG and get it back for any POST or GET action;
> * use cookies where put in a NAME the user-id (eventually with the
> secure param);
> * use http Access Authentication.
> Then I need to pass the user-id to the procedure who run my queries
> (namely a PL/SQL procedure) so:
> - if I use an hidden tag I should put it in the POST(or GET)'s param
> list;
> - if I use the http Access Authentication scheme I should get the
> REMOTE_USER variable;
> - if I use cookies I should get the value for that name.
> Which are the differences from a Security point of view ?
Stronghold (see http://ww.c2.net) sets an environment variable
called SSL_CLIENT_DN and when intgrated with Sentry you also
get to see that DN parsed out as independent variables.
(this is the DN that is contained in the connecting client's certificate)
>
