I said the stuff w/ > :)
|I was asked if it's possible to use SecurID to control access
|to a web server ... i.e. to provide very limited access to
|the information presented on a server.
>
> Yes it's possible.
>
|What do you think? And what do you think about the actual implementation?
|Is it doable?
>
> I dunno, I do know that ncsa's httpd server has things like this:
>
> # AuthType Basic
> # AuthName By Secret Password Only!
> <Limit GET>
>
> Which would imply to me that 'AuthType Basic' could be changed to
> 'AuthType SNK' or 'AuthType SKey' somehow.....
]
] Wouldn't you run into state problems?
] The browser authenticates every time it fetches an object from the
] server, so you'd be forever typing in responses, no?
No.
] (You might be able to hack around it whereby the server "remembers"
] the last response given, and if the user gets it wrong, offers a new
] challenge. You'd lose that whole OTP thing, though. =) )
It does 'remember' it, in some manner I've not taken the time to
understand. Regardless, you make a good point, that being that a
one time password would be used to authenticate a hybrid 'session'
which would really consist of 'N' TCP sessions (those being
htgets).
The time has come that a standard is developed for stateful web
connections.
Is there any work being done in this or do I get to start another
group?
References:
|
|
