[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Koha-devel] authentication
From: |
Tonnesen Steve |
Subject: |
Re: [Koha-devel] authentication |
Date: |
Sun Jul 7 20:41:01 2002 |
On Mon, 8 Jul 2002, Rachel Hamilton-Williams wrote:
> All my concerns are to do with the OPAC - I'm not at all bothered about the
> intranet.
>
> 1/. A member of the public must be able to search/use the catalogue without
> having
> cookies turned on. For one reason or another there will be people who
> don't/can't/won't
> use cookies, they shouldn't be barred from the OPAC because of it.
Absolutely. The checkauth() routine will accept an option stating whether
authentication is mandatory or not. If it _is_ mandatory, checkauth will
display a login screen if the user is not authenticated. If it is _not_
mandatory, checkauth will return a NULL userid to the calling script
signifying that the user is not authenticated.
Most OPAC functions will work just fine without authentication, but will
probably provide personalized functions if authenticated. Things like
saved item lists, where you can check a box beside search results and they
will be added to a list of items you are interested in.
> 2/. For it to be useful for a public library I would think that the public
> should be able to
> use *all* parts of the OPAC without having cookies turned on - even the bits
> where they
> need to authenticate.
First of all, Auth.pm will support either cookies or basic authentication,
so a library can opt to use no cookies whatsoever. It will also be
possible to use both by creating an alternative VirtualHost for the OPAC
which uses basic authentication. At the cookie-based login screen, the
user can be offered the choice of logging in without cookies by linking
to the basic authentication virtual host for the opac. In this way,
library search stations could be configured to use cookie-based
authentication, enabling the timed logout feature, while patrons from home
can log in without cookies.
I think we've got all the bases covered here.
Now as to whether we go with my home rolled session code, or use
mod_auth_tkt (which is a third party apache module not included with the
apache distribution), that discussion will have to join the
checkvalidisn() discussion. :)
Steve.