Unusual password request

I got an unusual request. One customer wants a password/access made
available to a user that is valid for only, say, ten minutes. I know
that I can enforce this by having a revalidation of the password every
time the user changes a page. This, though, seems like a a lot of
overhead in having to make a db call every time a page is changed.

I also thought about setting a timer for ten minutes, and on firing of
that timer unset a session variable that I would have set when the user
is given this temporary access. Doing this, I would only have to check
at the top of every page that the session variable is set- no big deal.

What do you folks think about this request?

sheldonlg wrote:
> I got an unusual request. One customer wants a password/access made
> available to a user that is valid for only, say, ten minutes. I know
> that I can enforce this by having a revalidation of the password every
> time the user changes a page. This, though, seems like a a lot of
> overhead in having to make a db call every time a page is changed.
>

> I also thought about setting a timer for ten minutes, and on firing of
> that timer unset a session variable that I would have set when the user
> is given this temporary access. Doing this, I would only have to check
> at the top of every page that the session variable is set- no big deal.
>

You need to validate that the user is logged in (session) on every page
requiring password access anyway, right? So store the login time in a
session variable and if it has timed out, ... log them out. I don't see
the problem.

> What do you folks think about this request?
>

Seems rude to me.

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Nothing he's got he really needs
Twenty first century schizoid man.
***********************************

Chuck Anderson wrote:
> sheldonlg wrote:
>> I got an unusual request. One customer wants a password/access made
>> available to a user that is valid for only, say, ten minutes. I know
>> that I can enforce this by having a revalidation of the password every
>> time the user changes a page. This, though, seems like a a lot of
>> overhead in having to make a db call every time a page is changed.
>>
>
>> I also thought about setting a timer for ten minutes, and on firing of
>> that timer unset a session variable that I would have set when the
>> user is given this temporary access. Doing this, I would only have to
>> check at the top of every page that the session variable is set- no
>> big deal.
>>
>
> You need to validate that the user is logged in (session) on every page
> requiring password access anyway, right? So store the login time in a
> session variable and if it has timed out, ... log them out. I don't see
> the problem.

Man, it is really trivial after all. Thanks. (Now why didn't I think
of such an obvious solution?)


>
>> What do you folks think about this request?
>>
>
> Seems rude to me.

Huh? I hope you don't mean me. If you mean the client, what he wants
to do is give a "taste" of the site before the user has to subscribe.

sheldonlg wrote:
> Chuck Anderson wrote:
>
>> sheldonlg wrote:
>>
>>> I got an unusual request. One customer wants a password/access made
>>> available to a user that is valid for only, say, ten minutes. I know
>>> that I can enforce this by having a revalidation of the password every
>>> time the user changes a page. This, though, seems like a a lot of
>>> overhead in having to make a db call every time a page is changed.
>>>
>>>
>>> I also thought about setting a timer for ten minutes, and on firing of
>>> that timer unset a session variable that I would have set when the
>>> user is given this temporary access. Doing this, I would only have to
>>> check at the top of every page that the session variable is set- no
>>> big deal.
>>>
>>>
>> You need to validate that the user is logged in (session) on every page
>> requiring password access anyway, right? So store the login time in a
>> session variable and if it has timed out, ... log them out. I don't see
>> the problem.
>>
>
> Man, it is really trivial after all. Thanks. (Now why didn't I think
> of such an obvious solution?)
>
>
>
>>> What do you folks think about this request?
>>>
>>>
>> Seems rude to me.
>>
>
> Huh? I hope you don't mean me. If you mean the client, what he wants
> to do is give a "taste" of the site before the user has to subscribe.
>

You said "I got an unusual request. ........ " And later asked ...
"What do you folks think about this request?"

So ..... what do you think?

Logging someone out after ten minutes seems rude. If I got a phone call
...... had to break away for some reason ..... was simply confused for 8
minutes ..... and then that was it; I don't think I'd be coming back.
Restricting usage somehow rather than time at the site seems a better idea.

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Nothing he's got he really needs
Twenty first century schizoid man.
***********************************

Chuck Anderson wrote:
> sheldonlg wrote:
>> Chuck Anderson wrote:
>>
>>> sheldonlg wrote:
>>>
>>>> I got an unusual request. One customer wants a password/access made
>>>> available to a user that is valid for only, say, ten minutes. I
>>>> know that I can enforce this by having a revalidation of the
>>>> password every time the user changes a page. This, though, seems
>>>> like a a lot of overhead in having to make a db call every time a
>>>> page is changed.
>>>> I also thought about setting a timer for ten minutes, and on
>>>> firing of that timer unset a session variable that I would have set
>>>> when the user is given this temporary access. Doing this, I would
>>>> only have to check at the top of every page that the session
>>>> variable is set- no big deal.
>>>>
>>> You need to validate that the user is logged in (session) on every
>>> page requiring password access anyway, right? So store the login time
>>> in a session variable and if it has timed out, ... log them out. I
>>> don't see the problem.
>>>
>>
>> Man, it is really trivial after all. Thanks. (Now why didn't I think
>> of such an obvious solution?)
>>
>>
>>
>>>> What do you folks think about this request?
>>>>
>>> Seems rude to me.
>>>
>>
>> Huh? I hope you don't mean me. If you mean the client, what he wants
>> to do is give a "taste" of the site before the user has to subscribe.
>>
>
> You said "I got an unusual request. ........ " And later asked ...
> "What do you folks think about this request?"
> So ..... what do you think?
>
> Logging someone out after ten minutes seems rude. If I got a phone call
> ..... had to break away for some reason ..... was simply confused for 8
> minutes ..... and then that was it; I don't think I'd be coming back.
> Restricting usage somehow rather than time at the site seems a better idea.
>

I agree. Better to give them access to a subset of what's available,
with information on what they're missing.

Plus, there are ways around it - for instance, when my session expires,
just create another user (so maybe I have to clear cookies in my
browser). And if it requires verification, I can create 5,000 gmail
accounts and be there for months.

But more likely I'll never come back.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Greetings, Jerry Stuckle.
In reply to Your message dated Saturday, May 10, 2008, 14:53:15,

>>>>> I got an unusual request. One customer wants a password/access made
>>>>> available to a user that is valid for only, say, ten minutes. I
>>>>> know that I can enforce this by having a revalidation of the
>>>>> password every time the user changes a page. This, though, seems
>>>>> like a a lot of overhead in having to make a db call every time a
>>>>> page is changed.
>>>>> I also thought about setting a timer for ten minutes, and on
>>>>> firing of that timer unset a session variable that I would have set
>>>>> when the user is given this temporary access. Doing this, I would
>>>>> only have to check at the top of every page that the session
>>>>> variable is set- no big deal.
>>>>>
>>>> You need to validate that the user is logged in (session) on every
>>>> page requiring password access anyway, right? So store the login time
>>>> in a session variable and if it has timed out, ... log them out. I
>>>> don't see the problem.
>>>>
>>>
>>> Man, it is really trivial after all. Thanks. (Now why didn't I think
>>> of such an obvious solution?)
>>>
>>>
>>>
>>>>> What do you folks think about this request?
>>>>>
>>>> Seems rude to me.
>>>>
>>>
>>> Huh? I hope you don't mean me. If you mean the client, what he wants
>>> to do is give a "taste" of the site before the user has to subscribe.
>>>
>>
>> You said "I got an unusual request. ........ " And later asked ...
>> "What do you folks think about this request?"
>> So ..... what do you think?
>>
>> Logging someone out after ten minutes seems rude. If I got a phone call
>> ..... had to break away for some reason ..... was simply confused for 8
>> minutes ..... and then that was it; I don't think I'd be coming back.
>> Restricting usage somehow rather than time at the site seems a better idea.
>>

> I agree. Better to give them access to a subset of what's available,
> with information on what they're missing.

> Plus, there are ways around it - for instance, when my session expires,
> just create another user (so maybe I have to clear cookies in my
> browser). And if it requires verification, I can create 5,000 gmail
> accounts and be there for months.

> But more likely I'll never come back.

Rather intheresting discussion I've found :)
Take a look at this demo :)
http://www.l2wh.com/updrop/demo.php


--
Sincerely Yours, AnrDaemon <anrdaemon@freemail.ru>

AnrDaemon wrote:
> Greetings, Jerry Stuckle.
> In reply to Your message dated Saturday, May 10, 2008, 14:53:15,
>
>>>>>> I got an unusual request. One customer wants a password/access made
>>>>>> available to a user that is valid for only, say, ten minutes. I
>>>>>> know that I can enforce this by having a revalidation of the
>>>>>> password every time the user changes a page. This, though, seems
>>>>>> like a a lot of overhead in having to make a db call every time a
>>>>>> page is changed.
>>>>>> I also thought about setting a timer for ten minutes, and on
>>>>>> firing of that timer unset a session variable that I would have set
>>>>>> when the user is given this temporary access. Doing this, I would
>>>>>> only have to check at the top of every page that the session
>>>>>> variable is set- no big deal.
>>>>>>
>>>>> You need to validate that the user is logged in (session) on every
>>>>> page requiring password access anyway, right? So store the login time
>>>>> in a session variable and if it has timed out, ... log them out. I
>>>>> don't see the problem.
>>>>>
>>>> Man, it is really trivial after all. Thanks. (Now why didn't I think
>>>> of such an obvious solution?)
>>>>
>>>>
>>>>
>>>>>> What do you folks think about this request?
>>>>>>
>>>>> Seems rude to me.
>>>>>
>>>> Huh? I hope you don't mean me. If you mean the client, what he wants
>>>> to do is give a "taste" of the site before the user has to subscribe.
>>>>
>>> You said "I got an unusual request. ........ " And later asked ...
>>> "What do you folks think about this request?"
>>> So ..... what do you think?
>>>
>>> Logging someone out after ten minutes seems rude. If I got a phone call
>>> ..... had to break away for some reason ..... was simply confused for 8
>>> minutes ..... and then that was it; I don't think I'd be coming back.
>>> Restricting usage somehow rather than time at the site seems a better idea.
>>>
>
>> I agree. Better to give them access to a subset of what's available,
>> with information on what they're missing.
>
>> Plus, there are ways around it - for instance, when my session expires,
>> just create another user (so maybe I have to clear cookies in my
>> browser). And if it requires verification, I can create 5,000 gmail
>> accounts and be there for months.
>
>> But more likely I'll never come back.
>
> Rather intheresting discussion I've found :)
> Take a look at this demo :)
> http://www.l2wh.com/updrop/demo.php
>
>

Another bunch of garbage from Anr... He's good at that.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Greetings, Jerry Stuckle.
In reply to Your message dated Thursday, June 12, 2008, 08:37:07,

> Another bunch of garbage from Anr... He's good at that.

You aren't pleased with example i have provided?
Why you behave like a troll?


--
Sincerely Yours, AnrDaemon <anrdaemon@freemail.ru>

AnrDaemon wrote:
> Greetings, Jerry Stuckle.
> In reply to Your message dated Thursday, June 12, 2008, 08:37:07,
>
>> Another bunch of garbage from Anr... He's good at that.
>
> You aren't pleased with example i have provided?
> Why you behave like a troll?
>
>

Not trolling. Just calling your garbage what it is.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Greetings, Jerry Stuckle.
In reply to Your message dated Monday, June 16, 2008, 00:23:21,

>>> Another bunch of garbage from Anr... He's good at that.
>>
>> You aren't pleased with example i have provided?
>> Why you behave like a troll?
>>
>>

> Not trolling. Just calling your garbage what it is.

Prove or shut up your mouth.


--
Sincerely Yours, AnrDaemon <anrdaemon@freemail.ru>