Authentication and Organization Issues

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentication and Organization Issues

Patrick Larkin-2
Hello -

I am in the process of developing a really large site that will have both public and private components.  I  will also have a large number of documents for public consumption.  I have a few issues that if anyone has time, I'd love to hear thoughts or insight on good ways to accomplish what I need.

AUTHENTICATION

The website will be generally public with areas that should only appear to authenticated users.  I have no issue authenticating people and hiding/revealing content.  Currently, they would go to a STAFF area, log in, and be presented with a customized page or pages for their use.  But I'd also like to handle the scenario of a staff member requesting areas of the website without first visiting the STAFF area.  For example, if a staff member goes to the Human Resources portion of the site and clicks on something somewhat confidential like "Employment Contracts", I want the person to be sent to that STAFF login page (so I on'y have to have one) and then sent BACK to where they came from with the content visible.  There would be various points of entry like this but I really want to do it with one login page.  

I'm assuming others have done this.  I'm guessing that one would capture the page where the request came from and then use that as the return redirect.  Would this be correct course?  If not, any other ideas?


ORGANIZATION

I have a large number of public documents that is getting too large in number to simply have as lists.  Does anyone have any examples of really well done pages of documents where the documents are revealed as needed?  For instance, I'd like to show the current year's documents and have a  really easy and intuitive way of getting to the previous 10 years or so of documents.  One caveat is that the documents (usually PDF) need to be indexed by Google.  As far as I know, the only way to have that happen  is to have links which are crawlable by Google's bots.  






Patrick


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and Organization Issues

Brad Lindsay-2
On Oct 4, 2012, at 10:10 AM, Patrick Larkin <[hidden email]> wrote:

> For example, if a staff member goes to the Human Resources portion of the site and clicks on something somewhat confidential like "Employment Contracts", I want the person to be sent to that STAFF login page (so I on'y have to have one) and then sent BACK to where they came from with the content visible.  There would be various points of entry like this but I really want to do it with one login page.  
>
> I'm assuming others have done this.  I'm guessing that one would capture the page where the request came from and then use that as the return redirect.  Would this be correct course?  If not, any other ideas?

Yep. There are various ways of capturing / keeping track of the page, but what you've outlined has worked for me.

Another way that's worked for me is to include the login page in my 401 Unauthorized page. Then, when they submit the form for authentication, I just redirect back to the referrer URL. Some caveats with this approach:
  1. You'll need to make sure that the referrer URL is from your domain

  2. Upon successful login, if the referrer url is your login page, you'll probably want to redirect to the home page instead.


Brad

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and Organization Issues

stevepiercy
On 10/4/12 at 10:24 AM, [hidden email] (Brad Lindsay) pronounced:

>On Oct 4, 2012, at 10:10 AM, Patrick Larkin <[hidden email]> wrote:
>
>>For example, if a staff member goes to the Human Resources portion of the site
>and clicks on something somewhat confidential like "Employment
>Contracts", I want the person to be sent to that STAFF login
>page (so I on'y have to have one) and then sent BACK to where
>they came from with the content visible.  There would be
>various points of entry like this but I really want to do it
>with one login page.
>>
>>I'm assuming others have done this.  I'm guessing that one would capture the
>page where the request came from and then use that as the
>return redirect.  Would this be correct course?  If not, any
>other ideas?
>
>Yep. There are various ways of capturing / keeping track of the
>page, but what you've outlined has worked for me.
>
>Another way that's worked for me is to include the login page
>in my 401 Unauthorized page. Then, when they submit the form
>for authentication, I just redirect back to the referrer URL.
>Some caveats with this approach:
>1. You'll need to make sure that the referrer URL is from your domain

I could be wrong, but I think that referral_url relies on the
client sending this information, and if so should not be trusted
or relied upon.

https://en.wikipedia.org/wiki/HTTP_referrer#Details

So it *must* be true.  ;)

>2. Upon successful login, if the referrer url is your login
>page, you'll probably want to redirect to the home page instead.

I redirect to a "dashboard" page.  "You are a member of the
sikrit Scooby club.  Look at all the cool Scooby Snacks you can
eat on our site!"

In the OP's request, they want to redirect to the page
immediately preceding the login page.  That can be done with
either a non-secure session (easiest) or decorating all your
clickables with GET parameter (looks ugly).  Then on the login
page, use a hidden input that takes the value of the page, and
if present then redirect to that page instead of the dashboard.

There's also a ton of information in the LassoTalk archive.  
Search for "Bil Corry" as the author and "authentication",
"authorization", and "secure" on Nabble.
http://lasso.2283332.n4.nabble.com/Lasso-Talk-f3096191.html

There's lots of good tips, including:
* Use HTTPS on login and authenticated pages, always
* Club to death secure session data and secure cookies on the
login and logout page
* Strategies for setting up a password reset function (not
change, but I forgot my password and cannot login)
* Strategies for password change
* How to store hashed passwords with a salt
* How to serve sikrit files to authenticated and authorized users
* Designing a simple user-group security model

--steve


>Brad
>
>#############################################################
>This message is sent to you because you are subscribed to
>the mailing list Lasso
>[hidden email]
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
-- --
Steve Piercy               Web Site Builder              
Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and Organization Issues

Patrick Larkin-2
In reply to this post by Brad Lindsay-2


On Oct 4, 2012, at 10:24 AM, Brad Lindsay wrote:

> On Oct 4, 2012, at 10:10 AM, Patrick Larkin <[hidden email]> wrote:
>
>> For example, if a staff member goes to the Human Resources portion of the site and clicks on something somewhat confidential like "Employment Contracts", I want the person to be sent to that STAFF login page (so I on'y have to have one) and then sent BACK to where they came from with the content visible.  There would be various points of entry like this but I really want to do it with one login page.  
>>
>> I'm assuming others have done this.  I'm guessing that one would capture the page where the request came from and then use that as the return redirect.  Would this be correct course?  If not, any other ideas?
>
> Yep. There are various ways of capturing / keeping track of the page, but what you've outlined has worked for me.
>
> Another way that's worked for me is to include the login page in my 401 Unauthorized page. Then, when they submit the form for authentication, I just redirect back to the referrer URL. Some caveats with this approach:
>  1. You'll need to make sure that the referrer URL is from your domain
>
>  2. Upon successful login, if the referrer url is your login page, you'll probably want to redirect to the home page instead.

Can you elaborate on the 401 page?  I can't see how I'd ever invoke that page unless I was using Apache's realm authentication.  

Currently, my Lasso login page queries the database and there is either a match or not which is responded to with the corresponding Lasso page.  Apache never gets any of this info.  Perhaps there is something really big I'm missing.  :)
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and Organization Issues

Brad Lindsay-2

On Oct 11, 2012, at 12:13 PM, Patrick Larkin <[hidden email]> wrote:

>
>
> On Oct 4, 2012, at 10:24 AM, Brad Lindsay wrote:
>
>> On Oct 4, 2012, at 10:10 AM, Patrick Larkin <[hidden email]> wrote:
>>
>>> For example, if a staff member goes to the Human Resources portion of the site and clicks on something somewhat confidential like "Employment Contracts", I want the person to be sent to that STAFF login page (so I on'y have to have one) and then sent BACK to where they came from with the content visible.  There would be various points of entry like this but I really want to do it with one login page.  
>>>
>>> I'm assuming others have done this.  I'm guessing that one would capture the page where the request came from and then use that as the return redirect.  Would this be correct course?  If not, any other ideas?
>>
>> Yep. There are various ways of capturing / keeping track of the page, but what you've outlined has worked for me.
>>
>> Another way that's worked for me is to include the login page in my 401 Unauthorized page. Then, when they submit the form for authentication, I just redirect back to the referrer URL. Some caveats with this approach:
>> 1. You'll need to make sure that the referrer URL is from your domain
>>
>> 2. Upon successful login, if the referrer url is your login page, you'll probably want to redirect to the home page instead.
>
> Can you elaborate on the 401 page?  I can't see how I'd ever invoke that page unless I was using Apache's realm authentication.  
>
> Currently, my Lasso login page queries the database and there is either a match or not which is responded to with the corresponding Lasso page.  Apache never gets any of this info.  Perhaps there is something really big I'm missing.  :)

Sure. This approach doesn't redirect them to a login page when they try and access a page that needs them to be authenticated / authorized. Instead, it returns either a "401 Unauthorized" or "403 Forbidden".

If they are logged in (authenticated) but don't have permissions for that page / resource, I set the status to "403 Forbidden" and display my 403 page. If they aren't logged in yet and that's why they don't have permission for the page / resource, I set the status to "401 Unauthorized" and display my 401 page which includes the login form for authentication.  

Make sense?
Brad

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and Organization Issues

Patrick Larkin-2

On Oct 11, 2012, at 12:24 PM, Brad Lindsay wrote:

>
> On Oct 11, 2012, at 12:13 PM, Patrick Larkin <[hidden email]> wrote:
>
>>
>>
>> On Oct 4, 2012, at 10:24 AM, Brad Lindsay wrote:
>>
>>> On Oct 4, 2012, at 10:10 AM, Patrick Larkin <[hidden email]> wrote:
>>>
>>>> For example, if a staff member goes to the Human Resources portion of the site and clicks on something somewhat confidential like "Employment Contracts", I want the person to be sent to that STAFF login page (so I on'y have to have one) and then sent BACK to where they came from with the content visible.  There would be various points of entry like this but I really want to do it with one login page.  
>>>>
>>>> I'm assuming others have done this.  I'm guessing that one would capture the page where the request came from and then use that as the return redirect.  Would this be correct course?  If not, any other ideas?
>>>
>>> Yep. There are various ways of capturing / keeping track of the page, but what you've outlined has worked for me.
>>>
>>> Another way that's worked for me is to include the login page in my 401 Unauthorized page. Then, when they submit the form for authentication, I just redirect back to the referrer URL. Some caveats with this approach:
>>> 1. You'll need to make sure that the referrer URL is from your domain
>>>
>>> 2. Upon successful login, if the referrer url is your login page, you'll probably want to redirect to the home page instead.
>>
>> Can you elaborate on the 401 page?  I can't see how I'd ever invoke that page unless I was using Apache's realm authentication.  
>>
>> Currently, my Lasso login page queries the database and there is either a match or not which is responded to with the corresponding Lasso page.  Apache never gets any of this info.  Perhaps there is something really big I'm missing.  :)
>
> Sure. This approach doesn't redirect them to a login page when they try and access a page that needs them to be authenticated / authorized. Instead, it returns either a "401 Unauthorized" or "403 Forbidden".
>
> If they are logged in (authenticated) but don't have permissions for that page / resource, I set the status to "403 Forbidden" and display my 403 page. If they aren't logged in yet and that's why they don't have permission for the page / resource, I set the status to "401 Unauthorized" and display my 401 page which includes the login form for authentication.  
>
> Make sense?
> Brad

Yes, thanks.  And that approach doesn't require me to write error handling for each authenticated resource as I have been doing.  

How exactly does one return a status rather than just do a redirect like I've been doing?

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and Organization Issues

Brad Lindsay-2
On Oct 17, 2012, at 3:57 PM, Patrick Larkin <[hidden email]> wrote:

> On Oct 11, 2012, at 12:24 PM, Brad Lindsay wrote:
>> On Oct 11, 2012, at 12:13 PM, Patrick Larkin <[hidden email]> wrote:
>>> On Oct 4, 2012, at 10:24 AM, Brad Lindsay wrote:
>>>> On Oct 4, 2012, at 10:10 AM, Patrick Larkin <[hidden email]> wrote:
>>>>> For example, if a staff member goes to the Human Resources portion of the site and clicks on something somewhat confidential like "Employment Contracts", I want the person to be sent to that STAFF login page (so I on'y have to have one) and then sent BACK to where they came from with the content visible.  There would be various points of entry like this but I really want to do it with one login page.  
>>>>>
>>>>> I'm assuming others have done this.  I'm guessing that one would capture the page where the request came from and then use that as the return redirect.  Would this be correct course?  If not, any other ideas?
>>>>
>>>> Yep. There are various ways of capturing / keeping track of the page, but what you've outlined has worked for me.
>>>>
>>>> Another way that's worked for me is to include the login page in my 401 Unauthorized page. Then, when they submit the form for authentication, I just redirect back to the referrer URL. Some caveats with this approach:
>>>> 1. You'll need to make sure that the referrer URL is from your domain
>>>>
>>>> 2. Upon successful login, if the referrer url is your login page, you'll probably want to redirect to the home page instead.
>>>
>>> Can you elaborate on the 401 page?  I can't see how I'd ever invoke that page unless I was using Apache's realm authentication.  
>>>
>>> Currently, my Lasso login page queries the database and there is either a match or not which is responded to with the corresponding Lasso page.  Apache never gets any of this info.  Perhaps there is something really big I'm missing.  :)
>>
>> Sure. This approach doesn't redirect them to a login page when they try and access a page that needs them to be authenticated / authorized. Instead, it returns either a "401 Unauthorized" or "403 Forbidden".
>>
>> If they are logged in (authenticated) but don't have permissions for that page / resource, I set the status to "403 Forbidden" and display my 403 page. If they aren't logged in yet and that's why they don't have permission for the page / resource, I set the status to "401 Unauthorized" and display my 401 page which includes the login form for authentication.  
>>
>> Make sense?
>> Brad
>
> Yes, thanks.  And that approach doesn't require me to write error handling for each authenticated resource as I have been doing.  
>
> How exactly does one return a status rather than just do a redirect like I've been doing?

In Lasso 9, you can set your return status like so: [web_response->setStatus(403, 'Forbidden')]

Brad
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and Organization Issues

Patrick Larkin-2
Anything like that in 8.6?

On Oct 17, 2012, at 4:04 PM, Brad Lindsay wrote:

> In Lasso 9, you can set your return status like so: [web_response->setStatus(403, 'Forbidden')]
>
> Brad

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and Organization Issues

Wade Maxfield
On 19/10/2012, at 3:31 AM, Patrick Larkin <[hidden email]> wrote:

> Anything like that in 8.6?
>
> On Oct 17, 2012, at 4:04 PM, Brad Lindsay wrote:
>
>> In Lasso 9, you can set your return status like so: [web_response->setStatus(403, 'Forbidden')]
>>
>> Brad
>
>

I've been using this in 8.5 as part of Jason Huck's error handling tips:

$__http_header__ = (String_ReplaceRegExp: $__http_header__, -Find='(^HTTP\\S+)\\s+.*?\r\n', -Replace=('\\1 403 Forbidden\r\n'));

 - Wade


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>