Knowledge base/5.0 Access Control/5.2 Remote Authentication - Other ways to control access

5.2.2 Setting up Remote Authentication

Yoav Schwartz
posted this on August 23, 2009 05:46 pm

With this feature, you can password protect your titles. This feature is intended to leverage your existing database of registered members. Rather than give us access to your database, you can setup a simple script on your site, accessible over the web that our system can securely POST information to. 

To set this up just choose a title, edit it and navigate to the Security>Remote Authentication section

Remote Authentication Setup Screenshot

Edit_Title_Remote_Authentication_setup.png

 

Check activate remote authtentication on this title box then fill out the fields.

You must provide the below (Reference the image above)

(1)Address where your script resides on your host system.  This script will take the Username and Password POSTed by our system and compare your remote database of users.

(2)String returned on success  OR userID(to be used in conjunction with Annotations tool - see this section below)

(3)Username Field name defined in your remote script

(4)Password Field Name(optional) defined in your remote script

(5)Custom Log On message(optional)

(6)Website for readers to navigate to for help in subscribing(optional)

 

Promotion Section: 

You can allow a short preview for non-members?(optional).  Just check the box and set the number of pages you want to allow a user to view without being logged in.

 

Reference Example

Let's take a fictional website "www.abc-co.com" as an example.

In this example:

  • ABC Co. has a database of users who can gain access to a specific title
  • ABC Co. creates a script that checks if a user has the necessary privileges
  • the remote login script is http://www.abc-co.com/loginscript.php
  • the username field name is uname
  • the password field name is pword
  • the string returned on success is welcome!

  • Our system POSTS a form that can be assumed to look like

    <form method="post" action=" http://www.abc-co.com/loginscript.php">
    <input type="text" name="uname" value="bob" />
    <input type="password" name="pword" value="bob123" />
    </form>

  • since user bob's password really is "bob123", the script prints out "welcome!". Whatever is printed out by the script will be returned as the value, so make sure to not print out any html.

Our system will send the form using POST method (not GET) only from our backend, so you need not worry that anyone will ever see this script via client-side scripting.

An example php script: (for learning purposes only)

<?php

//open connection to database
mysql_connect(…);

//select your database
mysql_select_db(…);

$sql = "SELECT count(*) FROM `user_table` where username='" . $_POST['uname'] . "' AND password='" . $_POST['pword'] . "' LIMIT 1";

$result = mysql_query($sql);
$count = mysql_result($result,0);

if($count==1){
echo "welcome!";
} else {
echo "username/password combo not found";
}

?>

New: Return User's ID as Success Message

With the introduction of the Annotation Tools Widget comes the ability to return your users' ID instead of a generic success message. This will allow us to store information for your remote users on our system. If "return user's ID" is selected as the Success return value, your script should be modified to output the user's ID or username. In the example above, the last line could simply be changed to:

  • ...
    if($count==1){
    echo $_POST['uname'];
    }
    ...

Single Passphrase - Control Access with a Password