[WEB4LIB] Re: Intranets and IP authentication and bears, Oh my!

[Dan Lester]

Friday, December 22, 2000, 9:01:35 AM, you wrote:

EH> Funny, I thought the zero size frame trick was only used on porn 
EH> sites! Well, you can learn a lot if you surf around.

Librarians learn lots of things from a lot of places, though I didn't
learn it from porn sites.  In fact, had never noticed it on the ones
I've seen. Of course at porn sites people aren't usually looking at
the URLs and code, I guess.

EH> Seriously though, I think we should acknowledge that with password 
EH> access, we are dealing with a lot of fig leaves.

Absolutely.

EH> Consider the use of zero size frames to hide embedded passwords. In 
EH> this case, the library is jumping through hoops to save the publisher 
EH> from adding about 5 lines of code to their authentication process.

Agree completely.  And I've talked to several folks on the development
side at several providers.  They've always said it is the way it is
because the bosses have said to do it that way.  I've never been sure
whether that is a lame excuse, whether it is true and they can't/won't
fight it, or what.  Maybe some of the aggregators have folks reading
this list....but that might be too much to hope for.

EH> Really, the password-hiding that the zero frame accomplishes is
EH> achieved much more efficiently and "securely" if the publisher site 
EH> immediately redirects with a session cookie or token. If you find a 
EH> publisher whining that this is difficult in their system for some 
EH> obscure reason, send them to me.

I'll do that next time.  I don't believe in telling people how to run
their business, but I do believe in telling them when their system
causes problems for us, and that may be a factor in our purchasing
decision.  At least one product/service was not licensed by Boise
State for that reason, and for a couple of others, that was a factor
in our switching database providers.

EH> What a publisher worries about is whether someone can take passwords 
EH> and gain wholesale access from parts of the world that don't take 
EH> copyrights seriously. With respect to this concern, use of referring 
EH> URL provides no protection and has the disadvantage that if it's 
EH> compromised, it's harder to change than a password. Access by 
EH> referring URL's also breaks easily and hinders linking and 
EH> bookmarking.

True enough on all the above.  But since we don't want users to
bookmark the databases, nor do the publishers, that isn't a real
problem.  We want them to authenticate each time if they're outside of
our ip range.  Otherwise, the bookmark could be passed around to the
detriment of both the provider and the library patrons.

Happy holidays,

dan

-- 
Dan Lester, Data Wrangler  dan at RiverOfData.com
3577 East Pecan, Boise, Idaho  83716-7115 USA
www.riverofdata.com  www.postcard.org  www.gailndan.com