[WEB4LIB] Re: Intranets and IP authentication and bears, Oh my!

Eric Hellman eric at openly.com
Fri Dec 22 11:01:35 EST 2000 

Funny, I thought the zero size frame trick was only used on porn 
sites! Well, you can learn a lot if you surf around.

Seriously though, I think we should acknowledge that with password 
access, we are dealing with a lot of fig leaves.

Consider the use of zero size frames to hide embedded passwords. In 
this case, the library is jumping through hoops to save the publisher 
from adding about 5 lines of code to their authentication process. 
Really, the password-hiding that the zero frame accomplishes is 
achieved much more efficiently and "securely" if the publisher site 
immediately redirects with a session cookie or token. If you find a 
publisher whining that this is difficult in their system for some 
obscure reason, send them to me.

What a publisher worries about is whether someone can take passwords 
and gain wholesale access from parts of the world that don't take 
copyrights seriously. With respect to this concern, use of referring 
URL provides no protection and has the disadvantage that if it's 
compromised, it's harder to change than a password. Access by 
referring URL's also breaks easily and hinders linking and 
bookmarking.

Eric

At 3:01 PM -0800 12/21/00, Dan Lester wrote:
>Thursday, December 21, 2000, 2:00:23 PM, you wrote:
>
>JC> If the database is dynamic, you could build the Yes/No determination right
>JC> into the database.  For instance, if the database was presented in an HTML
>JC> format, and you had Server Side Includes (SSI) turned on on your
>JC> webserver, you could use a simple SSI command to say "If the internal IP
>JC> address is in the CDRH range, give them the URL to the selected database
>JC> (maybe with an embedded userid / password redirect), Otherwise, print the
>JC> name of the journal and then 'for CDRH use only'".
>
>Something similar is described at
>
>http://www.riverofdata.com/tools/authentication.htm
>
>To increase the security and solve the problem cited below, this
>article describes the use of frames of size zero to conceal the URL of
>the site to which the user is redirected.  No, it isn't perfect
>security, but it improves it enough to eliminate problems.
>
>JC> Neither of these keeps someone from getting the userid / password once
>JC> during a legitimate session, and using them other times (unless you use
>JC> referring URL on the vendor's end), but it does keep the accidental use
>JC> down..
>
>Some of our vendors also use referring URL, which seems to me to be
>the ideal way for them to handle it.
>
>Happy holidays
>
>dan
>
>--
>Dan Lester, Data Wrangler  dan at RiverOfData.com
>3577 East Pecan, Boise, Idaho  83716-7115 USA
>www.riverofdata.com  www.postcard.org  www.gailndan.com

Eric Hellman
Openly Informatics, Inc.
http://www.openly.com/           21st Century Information Infrastructure
LinkBaton: Your Links that Learn     http://my.linkbaton.com/

More information about the Web4lib mailing list