Thank you so much!
So like Richard, you're running Apache anonymously and off-loading authentication to the app stack. I'm starting to see a pattern. :D
-----Original Message-----
From: B Stone [mailto:bvstone@xxxxxxxxx]
Sent: Friday, January 31, 2020 9:32 AM
To: Web Enabling the IBM i (AS/400 and iSeries) <web400@xxxxxxxxxxxxxxxxxx>
Subject: Re: [WEB400] Apache authentication efficiency
How I do it...
1. Set up user in a validation list (*VLDL) with user and password. This is usually validated through email and their account isn't active until the click a link with a token (and IP, etc) in it to check against.
2. When they log on, validate against the validation list.
3. If it's good, generate a unique session ID/token and an expiration.
Store it in a file (with IP, and other info) in a file to match it to the ID. Put the token in a cookie.
4. Each request is validated against the token from the cookie (and IP address, etc).
Don't forget to set up a "forgot my password" link. Validation lists you can't retrieve the password, you can only validate against it to see if the one entered is correct.
If you wanted to use OSS (node, etc) I bet there are built in token/oauth features you could use.
You've signed up for things before online, no doubt (like this list, FB, Linked in, etc) , so you should be pretty familiar with the high level process.
Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #15 <
https://www.bvstools.com/mailtool.html>: The ability to add a Footer to each email sent using an IFS stream file.
midrange.com
