WebAuth: How it Works

WebAuth is a program to securely authenticate users for Web applications using UCInetIDs and passwords. The information below will help you get started.

The goal of the Web Authentication Tool is to provide a single, secure place at UCI to for users to enter their UCInetID and password when they need to access web space where their UCInetID needs to be validated. The Web Authentication Tool uses a token to identify the time that a particular UCInetID was authenticated at a specific IP address. It is up to the server requiring the authentication to not only check for a valid token, but that the IP address is the same and that the token is recent enough to still be acceptable.

The first step of using the Web Authentication Tool is to determine the access control mechanism. The two ways of controlling access are through a CGI program or by modifying the server. In either case, the next (and final) step is to write or re-use a program that interacts with the Web Authentication Tool.

The general flow of how it works:

A browser that has authenticated is carrying either a cookie or a GET variable named ‘ucinetid_auth’. The value of this variable is the token for the Web Authentication Tool. This token is sent to the authentication database as a GET variable and the response is a listing of the traits for that token. If the returned traits are acceptable, the information is presented. If a browser does not send a valid token (or no token at all), it is directed to the web page where the user enters their UCInetID and password.

WebAuth Flow Chart

WebAuth Flow Chart

There are three URLs/programs used to interact with the UCInetID Web Authentication Database:

  1. webauth— is the page that prompts the user for a UCInetID and password and if these are correct, enters the data in the database and sets the cookie/variable in the browser.
  2. webauth_check— is used to get the data associated with a specific Web Authentication Tool token. the data is either returned as key/value pairs with key=value on a single line or the same data can be returned as an XML document
  3. webauth_logout— is used to clear an entry in the UCInetID Web Authentication Database. when sent to this program, the program picks up the Web Authentication Tool token from the cookie in the browser or the URL as a get variable

webauth

Thee following arguments can be used as get variables with webauth:

webauth?return_url=URL

return_url should be set to the URL that the browser will be sent to after a successful password.

webauth_check

The following arguments can be used as get variables with webauth_check:

webauth_check?ucinetid_auth=64CHARSTRING&return_xml=true

ucinetid_auth is a 64 character string stored in the database as the key to other information about the login. this variable is required.

return_xml (if set to ‘true’) will have the output returned as XML

the data that is returned is:

ucinetid the UCInetID authenticated with this key
auth_host the IP number of the host that the key was authenticated from
age_in_seconds how many seconds ago the UCInetID was authenticated
time_created the seconds since epoch that this key was authenticated
seconds_since_checked seconds since the last time webauth_check was run on this key
last_checked the seconds since epoch to when webauth_check was last run on this key
campus_id A unique number for every person on campus that will never be duplicated or repeated. This should be used as a key in a database.

webauth_logout

The following arguments can be used as get variables with webauth_logout:

webauth_logout?ucinetid_auth=64CHARSTRING&return_url=URL

ucinetid_auth is a 64 character string stored in the database as the key to other information about the login. If this variable is not provided, the cookie value is used. (That is the best way to redirect a user.)

return_url should be set to the URL that the browser will be sent to after the entry is deleted

Scroll Up