RE: protect tag on NT

This WebDNA talk-list message is from

1997


It keeps the original formatting.
numero = 13022
interpreted = N
texte = Olin ->>Passing the username and password to every page means that sometimes >>you're going to have hyperlinks displaying those usernames and >>passwords in the browser. That's why I use [protect] more or less >>universally on the Mac. >Yes. This is not good as passwords are then cluttered all over the >creation in caches, log files, and registries...even when using forms. >>So what you're saying is that on NT running IIS, there's no way to >>hide the username and password values ... unless Forms using >>method=post (and no hyperlinks) are used to navigate from protected >>page to protected page? >Is the the final answer for IIS? Is a fix planned?It doesn't look like there's a way around it if you're using IIS as your web server. Here's a good explanation Grant sent me this morning (after my it's just the same as the Mac guess turned out to be wrong):----------------------------- Microsoft doesn't allow CGIs to get at the username/password information like WebSTAR does. It forces you to use their built-in file/folder permissions (like Users+Groups on Mac) as the only means of protecting pages. For a Mac person, this is unusual, but for an NT person this is great: they get the normal centralized control of user access that they are accustomed to.What Microsoft didn't foresee was that someone might have a database full of records where each record has its own username/password which are completely unrelated to the file/folder permissions.Our best workaround was to not even try to use the true username/password coming from the browser; instead, we pass them through as form variables so that WebCatalog can 'see' them. The result, unfortunately, is that NT sites must explicitly pass these thru as variables, while Mac sites can simply get at the browser's username/password info with no need for propogating username/password. So if you were to compare the Admin templates for Mac/NT, you would see the NT version propagates username/password as variables.To sum up, WebCatalog/NT does not interfere with your normal NT security in any way: you can mix & match folder permissions for users you want to give access to, and then you can use WebCatalog's protection independently where you need to protect individual records. WebCatalog does its best simulating (in plain HTML) that dialog which users normally see on 401-protected pages.Sorry about the confusion: we assumed there would always be a way for a CGI to get the information, but it's just not possible. Since IIS is becoming the 'biggie', we went with its style -- WebSite actually works the same way as Mac does. -----------------------------One thing to keep in mind, though, is that this only applies to NT running IIS. If you are using another web server, such as WebSite, you can move the 'Authenticate Checker' file out of WebCatalog's directory and you will get the old style of authentication back (as Jay posted earlier today).I hope this clears things up a bit; if you have any other questions, please let me know.Marc Eagle StarNine Technologies http://www.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: protect tag on NT IIS (Olin 1997)
  2. Re: protect tag on NT IIS (Grant Hulbert 1997)
  3. Re: protect tag on NT IIS (Kenneth Grome 1997)
  4. Re: protect tag on NT IIS (Olin 1997)
  5. Re: protect tag on NT IIS (Kenneth Grome 1997)
  6. Re: protect tag on NT IIS (Olin 1997)
  7. Re: protect tag on NT IIS (Kenneth Grome 1997)
  8. RE: protect tag on NT (Kenneth Grome 1997)
  9. RE: protect tag on NT (Marc Eagle 1997)
  10. RE: protect tag on NT (Olin 1997)
  11. RE: protect tag on NT (Kenneth Grome 1997)
  12. RE: protect tag on NT (Jay Van Vark 1997)
  13. RE: protect tag on NT (Marc Eagle 1997)
Olin ->>Passing the username and password to every page means that sometimes >>you're going to have hyperlinks displaying those usernames and >>passwords in the browser. That's why I use [protect] more or less >>universally on the Mac. >Yes. This is not good as passwords are then cluttered all over the >creation in caches, log files, and registries...even when using forms. >>So what you're saying is that on NT running IIS, there's no way to >>hide the username and password values ... unless Forms using >>method=post (and no hyperlinks) are used to navigate from protected >>page to protected page? >Is the the final answer for IIS? Is a fix planned?It doesn't look like there's a way around it if you're using IIS as your web server. Here's a good explanation Grant sent me this morning (after my it's just the same as the Mac guess turned out to be wrong):----------------------------- Microsoft doesn't allow CGIs to get at the username/password information like WebSTAR does. It forces you to use their built-in file/folder permissions (like Users+Groups on Mac) as the only means of protecting pages. For a Mac person, this is unusual, but for an NT person this is great: they get the normal centralized control of user access that they are accustomed to.What Microsoft didn't foresee was that someone might have a database full of records where each record has its own username/password which are completely unrelated to the file/folder permissions.Our best workaround was to not even try to use the true username/password coming from the browser; instead, we pass them through as form variables so that WebCatalog can 'see' them. The result, unfortunately, is that NT sites must explicitly pass these thru as variables, while Mac sites can simply get at the browser's username/password info with no need for propogating username/password. So if you were to compare the Admin templates for Mac/NT, you would see the NT version propagates username/password as variables.To sum up, WebCatalog/NT does not interfere with your normal NT security in any way: you can mix & match folder permissions for users you want to give access to, and then you can use WebCatalog's protection independently where you need to protect individual records. WebCatalog does its best simulating (in plain HTML) that dialog which users normally see on 401-protected pages.Sorry about the confusion: we assumed there would always be a way for a CGI to get the information, but it's just not possible. Since IIS is becoming the 'biggie', we went with its style -- WebSite actually works the same way as Mac does. -----------------------------One thing to keep in mind, though, is that this only applies to NT running IIS. If you are using another web server, such as WebSite, you can move the 'Authenticate Checker' file out of WebCatalog's directory and you will get the old style of authentication back (as Jay posted earlier today).I hope this clears things up a bit; if you have any other questions, please let me know.Marc Eagle StarNine Technologies http://www.smithmicro.com/ Marc Eagle

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Thanks for tips, more quest (1997) Popup Menu Options (1998) WebCatalog for Postcards ? (1997) problems with 2 tags (1997) using showpage and showcart commands (1996) Tax and Shipping Examples (1997) Opinion: [input] should be called [output] ... (1997) Bug in capitalize ... ? (2003) Help Wanted - Stowe, Vermont (1999) WebCat2b15MacPlugIn - [authenticate] not [protect] (1997) Windows XP and cookies (2004) passing search criteria (1997) Tab Charactor (1997) How to Display text in empty fields (1997) select multiple 2 more cents (1997) PCS Frames (1997) Discounts (2001) Document Contains No Data! (1997) Targeted Redirect (1999) Date Range works (1997)