[CLUG-chat] Website Visitor Authentication that can't be given to others

Charles Oertel charles at finebushpeople.net
Fri Jun 17 13:08:40 SAST 2005


Hi all

Pondering a problem for a big website running apache on RH Linux (the 
linux angle ;-):

The site will be selling subscriptions to content, but the usual 
username/password mechanism lends itself to people giving it away to 
others for free use.

What other mechanism could one use to prevent this?

My thoughts are along the lines of emailing the subscriber a link that 
sets up a unique cookie in their browser.  If the cookie isn't there 
then no access.  If they lose the cookie, then the 'forgot password' 
function emails them another link.

Since only the PC with the subscribed email address has ready access to 
the cookie-link, it is hard to just give someone the username/password 
(you'd have to forward emails and/or copy cookies).

Thoughts/Experiences

(Ooh, ja, before the thought-police get me: the client actually doesn't 
want cookies, 'cos he deletes his every day (wtf?).  Yet, (and this is 
the joy of Windoze users), he knows his machine is infected with spyware 
that he cannot remove.  He wants some software that subscribers can 
download and install (cookies are BAAAD, arbitrary downloaded software = 
  GOOOD ???).

To me, cookies are about the only platform-independent mechanism for 
this kind of thing (MS killed Java, and I do not want to go to having 
separate software for *nix, Mac and 'doze).

Ideas anyone?

regards
--
Charles Oertel
FineBushPeople.net
tel: 021 701 8231
fax: 021 701 3338

-=-=-
... I was the kid next door's imaginary friend.
-=-=-



More information about the Clug-chat mailing list