remote patron authentication

[Monica King]

glen and others,

i guess i'll throw my two cents in this discussion again since i have 
gotten requests for our method and script (off the list) numerous 
times in the last several months.

our low tech approach is to authenticate users using their patron 
library barcode through a password protected page method.

patrons select a button for remote access from our home page.  on the 
remote access page they are prompted for their library card number. 
since all of our card numbers start with the same five digits, our 
cgi script (written in perl) actually only looks for these five 
digits.  if they type in their barcode number correctly they are 
taken to a page with all the instructions, urls, and remote ids for 
accessing all of our databases. (you can also "pass" the remote 
IDs and passwords using forms if you are so inclined thus saving your 
patrons another step)

many online databases vendors sell various forms of remote patron 
authentication service, and in fact EBSCO's version is a scripting 
method very similiar to our free method and others described on the 
list.  

advantages to this system as others have pointed out are:
1) it's free 
2) vendors are okay with our method since we have demonstrated a good 
faith effort to validate our users
3) i only have one web page to maintain which is important since 
database urls change ( our gale address changed three times this year 
alone!), passwords/ids change, and databases are added/subtracted 
yearly AND
4) believe it or not, our users understand how to do this with little 
instruction although i do have a brochure outlining the method and 
give many workshops throughout the year explaining the procedure.

finally (bet you're glad to see that),
even though we are a relatively small library system (approx. 63,000 
registered borrowers), over 4000 patrons use our remote access page 
every month and have been successfully doing so for the last 18 
months.

i've attached the script, i know it needs work and would welcome 
suggestions (i already have a stack full)

monica king
ouachita parish public library
(318) 327-1490
http://www.ouachita.lib.la.us

_______________________________________________________________
Get Free Email and Do More On The Web. Visit http://www.msn.com
-------------- next part --------------
#!/usr/bin/perl

# File:  verify.cgi
# Created:   17 Apr 98 Aisha Schmitt
# Last modified:  20 Apr 98 Aisha Schmitt
#                 08 Jan 99 Randall Smith

# This is where you change the password. Do not touch anything else!
# Examples:
# for RedDog as the password the line below will look like
#               $password = "RedDog";
# for 123Test as the password the line below will look like
#               $password = "123Test";

$password = "23530";

# Do not anything else here!
# ---------------------------------------------------------

# read in HTML form information into buffer
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});

# Split the name-value pairs
@pairs = split(/&/, $buffer);

$bad_password = 'y';

foreach $pair (@pairs) {
        ($name, $value) = split(/=/, $pair);
        $value =~ tr/+/ /;
        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
        $name =~ tr/+/ /;
        $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
        $FORM{$name} = $value;

} # foreach $pair

        # check password for validity
        if ($value =~ /$password/) {
                $bad_password = 'n';
        } # if

close (MAIL);
close (FILE);

if ($bad_password eq 'n') {
        print "Location: http://www.ouachita.lib.la.us/right_pwd.html\n\n";
}

else {
        print "Location: http://www.ouachita.lib.la.us/wrong_pwd.html\n\n";
}