[4499] in WWW Security List Archive
Re: Re:Question about User Identity (CGI scripting)
daemon@ATHENA.MIT.EDU (Jeremey Barrett)
Wed Feb 19 14:46:56 1997
Date: Wed, 19 Feb 1997 09:43:11 -0800 (PST)
To: daver@idiom.com
CC: www-security@ns2.rutgers.edu, jim@telecnnct.com
In-reply-to: <v02140b00af30620a5ed2@[206.14.80.95]> (daver@idiom.com)
Cc: jeremey@veriweb.com
From: Jeremey Barrett <jeremey@veriweb.com>
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
> At 12:34 PM 2/18/97, Jim Harmon wrote:
> > [snip]
> >
> > Without getting into login scripts for our IntraNet, is there a way for
> > me to capture the user's real account name via his/her browser? ...
> > Is there a way to include or discover that information in the CGI
> > Script?
>
> Years ago, some of the early browsers like Mosaic sent this information
> in the $REMOTE_USER environment variable, but it was considered a
> violation of privacy among users and this feature was dropped from
> all browsers since then.
Well... no. First, a web browser _cannot_ set environment variables
for a CGI, only a server can (it's the server doing the exec()-ing).
Second, $REMOTE_USER holds the value of the username given via
authentication, i.e. a WWW-Authenticate: header and response.
So the server may or may not set $REMOTE_USER. It will set it if
the user has been authenticated.
Finding out the user's login on _his_ system requires an ident query,
sent by the web server to the identd daemon on the user's machine.
This is sent to a CGI in $REMOTE_IDENT, and should _not_ be used
as the basis for authentication, as 1) it is trivially faked, and 2)
most machines (especially windoze), do not run identd daemons.
As far as "Real Name", you might want to investiate using X.509
certificates as your authentication mechanism, which will allow
you to put some reasonable information in the certificate.
XCert (www.xcert.com) is doing this stuff, as are others.
- --
=-----------------------------------------------------------------------=
Jeremey Barrett VeriWeb Internet Corp.
Crypto, Ecash, Commerce Systems http://www.veriweb.com/
PGP Key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64
=-----------------------------------------------------------------------=
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAwUBMws7li/fy+vkqMxNAQHcEgP/cjRrwlAt41EEUBG8xXzl/5K1RgqEX2Zi
VFD7hMerGfZDUzOx9fa5yGwaJktmDKjL911DIA53wgPpebhO4P4zXhwNTTLzPQQx
PloxEsnqoCS88Zhd2XTD+h8f0FfSplCzZLzrsbfa9GXyUMorXMVhTmc8mZgE8rx6
yANNjd5CCgg=
=z0jd
-----END PGP SIGNATURE-----
