httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Carleton" <scarle...@miltonstreet.com>
Subject handling authentication
Date Fri, 13 Jun 2008 13:08:02 GMT
I am working on a ISV that is developing kiosk system with Apache at
the core.  Considering my many years of software development is in
Windows Application development, not web development, I am running
into some issues with authentication.  I am hoping to gain some
insight from those of you that know that understand web development
far better then I do.

Initially I thought that since the whole system is a kiosk system,
each kiosk would have a different IP address, so I could simply
differentiate by IP.  Low and behold I have customers that is use
solutions like NComputing, which allow one physical machine to be
turned into 4~6 different kiosk's, all having the same IP address.  So
the obvious easy solution is to move to using Cookies.  The problem I
am having is figuring out how exactly to implement it.

There are three different issues need to be implemented:

1: Making sure the browser is one of my kiosk browsers application
(right now I am doing this by changing the user agent, but am open to
other approaches)
2: Making sure each browser is uniquely identified.
3: Making sure that the number of browsers connected does not exceed
the customers license.

Right now the kiosk browser simply connects to the root of the
application, index.php.  The Apache module hooks the access checker
(ap_hook_access_checker):

A: Checks to see if there is a valid license.
B: Checks to user agent string to see if it is a kiosk browser
C: Based on the type of license, check to see how many clients have
connected (based on the IP) in the last X seconds.

When using cookies, where should I put the timer?  Should I have the
Apache module track when the last time a said cookie connected to the
module or should I simply set the cookie to timeout in X seconds and
renew it on each request?  I am thinking it should work like this:

A: Checks to see if there is a valid license.
B: Check for the cookie
C: There is a cookie, check to see if the cookie has expired, if so
continue, otherwise update the system concerning the cookie and return
OK.
D: Checks to user agent string to see if it is a kiosk browser
E: Based on the type of license, check to see how many clients have
connected (based on the cookies) in the last X seconds.

Later in the PHP code, I can use the cookie as the unique identifier.

>From a security standpoint, is there anything I am missing?

Sam

Mime
View raw message