Re: Identifying Mosaic session

Steven D. Majewski (sdm7g@virginia.edu)
Tue, 20 Dec 1994 21:47:24 -0500 (EST)


On Tue, 20 Dec 1994 alain@hyperman.co.il wrote:

> I have an NCSA httpd server running on my machine
> I would like to know if there is a way for the server, to identify a given
> "session" in Mosaic. Something that would be similar to the username-password authentication
> scheme that exists under Mosaic ,in a given session you are only once asked the password,username
> for a given directory. This could be used for instance, to ask only once in a "Mosaic session"
> some information to the user.

One way might be to use the Authorization: field to carry session info -
the idea being to require authorization, but to allow any arbitrary user
access, and just use the returned Authorization: as a session id.

To support authorization (at least, to support it without constantly asking
for passwords again and again) the clients keep the authorization info for
each page. The question is whether this is hierarchical or not - once you
have an authorization for a root page, are clients in fact smart enough
to use that string for other transactions to other URL's below that root ?

[ From casual outside observation of clients actions, I *think* that is
the case, but I haven't really tested it. ]

However, although you're relying on the client support for authorization,
you have to "roll your own" authorization on the server in your CGI's.
They have to demand authorization, but accept anything, and use that
returned string as the "session id".

---| Steven D. Majewski (804-982-0831) <sdm7g@Virginia.EDU> |---
---| Computer Systems Engineer University of Virginia |---
---| Department of Molecular Physiology and Biological Physics |---
---| Box 449 Health Science Center Charlottesville,VA 22908 |---