Re: custom authentication functions from Darren New on 1996-03-28 (www-talk@w3.org from March to April 1996)

From: Darren New <dnew@yuan.fv.com>
Date: Thu, 28 Mar 1996 09:34:09 -0800 (PST)
To: Mike Meyer <mwm@contessa.phone.net>
Cc: www-talk@w3.org
Message-Id: <Pine.LNX.3.91.960328091358.174B-100000@yuan.fv.com>

On Wed, 27 Mar 1996, Mike Meyer wrote:
> The "e" flag to ps on BSD-based boxes will give you the environment.
> To get it all, you want to use "ww" as well. I don't konw SysV boxes

Right. I'd claim that's a bug in "ps", not a problem to work around in 
the CGI spec that's not even supposed to be UNIX-specific, actually. :-)

I'd hate to see the fact that the only even-mildly-secure-yet-portable IPC 
under UNIX is pipes cause the CGI spec to have some grodiness like 
additional pipes open to the script just to pass "secure" information.

> > Fortunately, our webservers don't have any untrusted users logging in.
> That depends on who you are trying to protect against, 

I'd also hate to see CGI be unusable with some languages just to keep 
some folks from having to buy a separate machine or disable "ps" or whatever.
That is, languages where you can't just use an open file handle without 
actually openning it.

> > right place. The real problem is that the CGI script doesn't get invoked
> > until *after* the username and password are validated. If you want the CGI
> > script to do the validation, you're out of luck.
> 
> Your real problem is a DIFFERENT problem than not being able to get
> the authentication headers.

That's right.

> If the server is doing authentication when it's not been configured to
> do so, I'd call that a server bug.

I'm not sure I remember what the problems were. I just wrote my own 
webserver that worked the way I wanted well enough to test out the 
concepts. Since the stuff was intended to run in a high-volume server, I 
knew I'd have to code the most common paths of the CGI into the server 
anyway, so I didn't investigate too much beyond swearing.  :-)

> That's not a browser issue - the browser doesn't have any choice in

I misspoke. I meant server there. I haven't found a server that would 
pass authentication to the CGI script.

--
 Darren New / Dir. of Custom Software Design / First Virtual Holdings Inc.
Anyone can buy and sell information over the internet for real money TODAY!
  http://www.fv.com or info@fv.com  -=|=-  PGP key: finger dnew@yuan.fv.com
      This message brought to you by the letter T, and the number 1.

Received on Thursday, 28 March 1996 12:49:21 UTC