I thought about implementing
a password-based access to the archives but preliminary indications
are that having to always supply a password can quickly become annoying.
Any good server/browser shouldn't require entering a password more than
once for access to the archives. I maintain such a password protected
archive, and I have no complaints from my users. Since most everyone
uses either Netscape or IE, and all versions of these support the right
type of authentication (HTTP Basic Authentication), you're just fine.
Keep in mind that this method means that clear-text passwords are going
out across the net, so you should be running on an SSL server if you
have severely confidential information.
I think that an authentication system based on the subscribers' computer
hostname, name, or email address would be best. That is, the server
would simply match the users' name or computer hostname to an entry in
a database to give or deny access.
The problem with these ideas are numerous: my computer doesn't have the
same IP address every time (dynamic IP addressing from my ISP). Many
many people have this situation. If you're asking for a computer name,
well, that's just as bad. Today I might be h-207-112-199-13.visi.com,
tomorrow (or 20 minutes from now) I'll be something else. As for e-mail
address, how are you going to ask the user? The browser doesn't give it
to the server automatically.
Without the complexity of a certificate based authentication system
(very nice for the user, but a royal pain to set up for the
administrators), you're basically stuck with HTTP Basic Authentication.
david d zuhn
zoo(_at_)armadillo(_dot_)com
