can an HTTP server determine identity of client?
Tim Berners-Lee (timbl@www3.cern.ch)
Tue, 10 Nov 92 14:59:06 +0100
Date: Tue, 10 Nov 92 14:59:06 +0100
From: Tim Berners-Lee <timbl@www3.cern.ch>
Message-Id: <9211101359.AA00461@www3.cern.ch>
To: www-talk@nxoc01.cern.ch
Subject: can an HTTP server determine identity of client?
Jim,
The server can't access the user name but it can and does know the
host internet address. This is available in a global string
extern char * HTClientHost;
if I remember rightly. Any routine in the server can access this.
It's used for logging by the basic daemon with the -l option for example.
The string is a number like "128.141.201.74". If Cornell has a limited
number of domains then the program could check this string against
a number of templates. Otherwise, you could check the hostname
by doing a gethostbyaddr or whatever call to the nameserver.
There is a trap here in that, although the routine will return fast
for local addresses, it can take a long time for remote addresses.
As you are forced to do the lookup before delivering the data, this
will delay every request. You could of course keep your own cache
of machine names. But sticking at the number level might be the most
practical way.
The new protocol will have hooks to determine allow the client to specify
a user name, mail address, etc, but of course the internet address
is more reliable than anything inserted by the client.
We have a philosophy that the same doc id should always return the same
document, or an error, no matter who asks. This preserves the usefulness
of quoting the document id. This means that you shouldn't just miss out
links from a document when the person is not allowed to follow them.
It is better to have a note, heading, etc to distinguish private from
public things, and then let an attempt to retrieve private things return
an error.
Tim