* Joachim Schipper <[EMAIL PROTECTED]> [2006-09-18 00:55]:
> On Sun, Sep 17, 2006 at 08:46:40PM -0600, Chris Kuethe wrote:
> > On 9/17/06, Lars Hansson <[EMAIL PROTECTED]> wrote:
> > >On Saturday 16 September 2006 03:33, Bryan Irvine wrote:
> > >> Just make a table and write up some script that add to the table.
> > >>
> > >> Something like nocat would probably what you are looking for. Maybe
> > >> nocat would work? I've never used it so I don't know.
> > >
> > >(This apply to all HTTP fw/authpf solutions...)
> > >How do you know when a user has "logged out"?
> >
> > A nasty ugly hack that I've seen in production is that you have to
> > make an https request to the gateway every so often (usually once a
> > minute). I can think of lots of ways to subvert such a system.
>
This is exactly why authpf uses ssh instead of https. ssh
connections are for a session, and they stay around. https is not. https
just plain blows for this.
If you really want a "secure" web based authpf - use authpf - and go
find the cheezy java ssh client
If you want it insecure and spoofable, make a 3 line cgi that
drops users into a pf table after authenticating and use the new dhcp
features on the net you're doing it on to clear the table when ip's
are released.
But this is not the list to talk about insecure spoofable
solutions.
-Bob
