[4501] in WWW Security List Archive
Re: Question about User Identity (CGI scripting)
daemon@ATHENA.MIT.EDU (Lars Eilebrecht)
Wed Feb 19 15:35:23 1997
To: "www-security" <www-security@ns2.rutgers.edu>
In-Reply-To: <3309E81E.58EEE8E@telecnnct.com>
From: "Lars Eilebrecht" <sfx@unix-ag.uni-siegen.de>
Date: Wed, 19 Feb 1997 14:58:00 +0200
Errors-To: owner-www-security@ns2.rutgers.edu
Jim Harmon wrote:
> The system we're using is GNATS (GNU Activity Tracking System), with a
> CGI program called WWWGNATS, a perl-based user interface.
Do you have an URL for WWWGNATS?
> As part of the security of this system, we've built our IntraNet on a
> restricted user --say "homeboy".
>
> Whenever I try to identify a user, the $ENV resolution of $REMOTE_USER
> is "homeboy", not user "fred" or "charlie" or "alice".
Well, you are talking about the servers identy check, but you should
not use $REMOTE_USER for authentication purposes. For example... if I
have Unix box with an ident-Daemon installed I will see the users
loginname in $REMOTE_USER, but it's always possible to let the identd
return any other string/number instead of the real loginname.
And normally there's no ident-daemon on a Win/Mac machine.
> Without getting into login scripts for our IntraNet, is there a way for
> me to capture the user's real account name via his/her browser?
I think you should use a server based authentication method (eg.
basic www authentication) to restrict access to the WWWGNATS pages.
ciao...
Lars
--
_____ ____ __
/\___// __// / __ sfx@cyberspace.org
\ \ / /_\ / /\_\ http://www.cyberspace.org/~sfx/
___\ \/ __// \ \/_/
/____\/_/ /_/\ \ - "Don't interrupt me while I'm interrupting."
\_\ (Winston S. Churchill)
