[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mysql
Subject:    Re: mod_auth_mysql without a pop-up/login window ? & innerworkings ?
From:       Van <vanboers () server ! dedserius ! com>
Date:       1999-08-02 0:59:39
[Download RAW message or body]

chas wrote:
> 
> I've had enough of writing my own dodgy authentication scripts
> and hiding variables all over the place whilst trying to manage
> state. It seems that mod_auth_mysql is the 'proper' way to do
> this, but first a couple of questions :
> 
> [in a previous thread, Herbert wrote]
> >My understanding of mod_auth_mysql is, that when
> >you try to access a protected site a login window
> >appears where you have to enter login and password.
> 
> Is it possible to do away with the pop-up login window and use
> a normal HTML form within a webpage like hotmail/yahoo etc ?
> (purely aesthetic value).
> 
> [in a much earlier thread, Brian Gentry wrote]
> >Then the username/password is passed each time as part of the HTTP
> >headers. You just grab the REMOTE_USER environment variable to get the
> >username, and lookup the password in the db (accessing as the web server).
> >The password is not available to you in the CGI, but the web server does
> >check it each time.
> 
> Wait, do I understand this correctly - Even after the first
> challenge (ie. once the user has been authenticated), all
> subsequent HTTP requests still result in Apache checking
> the username/password ? Doesn't this mean that a single web
> page with 10 graphics will still result in 11 MySQL Apache-to
> -MySQL queries ?  I would have thought that once the user is
> authenticated, Apache wouldn't need to query MySQL for subsequent
> requests. Or would that be too easy for somebody to spoof ?
> It just seems like this could become quite a burden on heavy sites.
> 
> If mod_auth_mysql really does result in so many queries (ie. one
> for each and every file requested), I guess the authentication
> table is a prime candidate  for a heap table.
> 
> Insights welcomed. Thank you very much,
> 
> chas
> 
Chas,
If this becomes too painful for you in what you're doing, pitch me an
e-mail.
I designed something like this a couple months ago that never flew. 
Basically,
it's a php application that contains a username/passwd field in an HTML
table
on the front page, then, pitches those values to an authentication
procedure that
checks for a valid e-mail, and, username on a specific server.  

It does this without the http challenge-response stuff, so, there's not
irritating
dialog boxes.  You can also allow the user to select the password
themselves (encrypted
with the mysql password() function, if you want to use the e-mail
validation piece.
Lemme know.
Van
-- 
=========================================================================
Linux rocks!!!   http://www.dedserius.com
=========================================================================

---------------------------------------------------------------------
Please check "http://www.mysql.com/Manual_chapter/manual_toc.html" before
posting. To request this thread, e-mail mysql-thread9035@lists.mysql.com

To unsubscribe, send a message to the address shown in the
List-Unsubscribe header of this message. If you cannot see it,
e-mail mysql-unsubscribe@lists.mysql.com instead.

[prev in list] [next in list] [prev in thread] [next in thread]