Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: OWS, PL/SQL Cartridges & Username/Passwords

Re: OWS, PL/SQL Cartridges & Username/Passwords

From: Daryl Collins <Daryl.Collins_at_usa.alcatel.com>
Date: Tue, 27 Jul 1999 09:30:14 -0500
Message-ID: <379DC276.D5DB7A2A@usa.alcatel.com>



This a a real problem when you use database authentication. For me its
exactly the same as client server, if you where using forms the user stays
logged in they are only logged out after they exit forms. Same thing with
the browser. The difference with the browser is I can be looking at some
other pages and not realize you are logged in to an application.

There was something on the oracle government home page (i can never remember the url) but my memory is all fuzzy - I think it added a cartridge to force the log out not quite the same as timing out.

With a cookie the problem is similar unless you do some other stuff u need to store the username and password in a cookie with no expiration and then another cookie - time of last hit with an expiration (or not you can do the code yourself if you like to write more code than is needed).

Every page will have to authenticate the user (or at least check the cookies are there) and if the last hit time is before some specified value redirect to a login page. You can make it so that when I log in again  I zoom off to the link I requested so I dont have to navigate to where I was. That would be cute.

This works and there are a few sites doing this the down side is the extra code (not a lot really) There are also some potential audit features lost - when you use db authentication the oracle username can be traced back to a real person - the oracle user using cookies is some generic username, using the pseudo column user means very little.

The only other downside is you are using cookies (I like cookies I have no problems with them designed and used well the rock) Its other people that you need to work on (end users and developers alike) have got some strange ideas - educate them :)

Hope this helps

Daryl Collins

Karl Keyte wrote:

A question regarding Oracle Web Server and its interaction with pages
requiring authentication...

When a page requires authentication, something is sent back in the HTTP
(presumably) to get the browser to prompt for a username & password.
The problem is that this is then cached and never requested again unless

the browser is restarted.

Is there anyway to effect a 'log-off' so that a re-authentication can be
made?
There seems to be a security problem otherwise in that a different user
can
use the same browser session to access someone else's data. Also, the
page history is maintained so that a new user can jump directly into
another
person's session.

Is there no option for using cookies and providing a true log-out style
mechanism?

What approach has anyone else taken for prompting for usernames and
passwords?

Please e-mail me back at: karl@koft.com.

Many thanks for your help.

Karl

Received on Tue Jul 27 1999 - 09:30:14 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US