Print

Print


One approach that has been used to provide "private" RSS feeds without
username/password style authentication is to use a unique token string
for each personalized feed.  In this system each user/feed instance is
assigned a unique auto-generated token string that makes up the
important part of the feed's URL.  This is how the folks behind
Basecamp project management software (http://www.basecamphq.com/)
handle their custom RSS feeds for projects.

Unfortunately this style of authentication doesn't prevent someone else
from accessing your feed's contents if they get ahold of the URL
containing the token string.  The presumption is that the feed URL is
only displayed to the user after they have authenticated to their
account.  Additionally, a burden is placed on the user to not share
their feed URLs or expose them to web-based aggregators such as
Bloglines.  For users of desktop aggregators the token-approach
provides a little more privacy then feeds that use a more easily
obtainable user_id as part of the feed URL.

Of course for truly sensitive information you wouldn't even want to
even go there.

Tito Sierra
NCSU Libraries

On Jan 31, 2005, at 1:11 PM, Binkley, Peter wrote:

> My impression is that the better class of desktop RSS readers can
> handle
> a feed that comes in with http authentication over an https connection,
> but that the web-based readers (such as Bloglines) can't at the moment.
>
> The problem would be that you'd have to trust a remote web service with
> your id and password (or else reenter them every time you accessed
> Bloglines). We've built an RSS feed that presents everything on your
> Sirsi MyAccount page (charged items, fines, holds) in the form of an
> RSS
> feed, using Cocoon's screen-scraping functions. This makes it easy to
> embed your barcode and pin in the url - not exactly secure, but not
> much
> less secure than sending the barcode and pin in clear text over http,
> which is what happens when you access the native Sirsi MyAccount page.
>
> But what if you put this in your Bloglines account? It becomes part of
> their social-bookmarking world, so the books I've signed out become
> searchable ... So we haven't rolled this out, we're still thinking
> about
> it. We also have an http-authenticated https proxy page in front of
> Cocoon that we can use, but we haven't decided what to do with all
> this.
>
> Peter
>
>
>> -----Original Message-----
>> From: Code for Libraries [mailto:[log in to unmask]] On
>> Behalf Of Walter Lewis
>> Sent: Friday, January 28, 2005 08:15 PM
>> To: [log in to unmask]
>> Subject: Re: [CODE4LIB] Individually Customized RSS feeds
>>
>> Edward Iglesias wrote:
>>> Well there have been some postings recently on SIRSI adopting RSS
>>> technology.  See
>>>
>> http://www.theshiftedlibrarian.com/archives/2005/01/19/sirsi_breaks_op
>>> en_the_rss_flood_gates.html
>>>
>>> Eric Lease Morgan wrote:>
>>>> If I understand the concept, I have tried to do this as a
>> part of the
>>>> (incomplete) Ockham Alerting Service. The Service allows
>> you to query
>>>> an index, and the search results are then available as
>> HTML, email,
>>>> or an RSS feed. When the content in the index gets
>> refreshed, the RSS
>>>> feed will return different results every time. The operative word
>>>> here is "when". See:>>
>>>>   http://alert.ockham.org/
>>
>> I think I *get* the notion of search results as RSS feed.
>> And I respect Eric's "when" qualifier.  I even like some of
>> the things being suggested in the SIRSI announcement and
>> discussion posted on Shifted Librarian.
>>
>> What I was particularly thinking of was stuff that we would,
>> in the pre-Spam/phish era of email, have only considered
>> emailing (and, in many cases, still do of course):
>>         hold notifications
>>         overdue notifications
>>         profile based SDI reports (e.g. new books or articles in *)
>>         targeted announcements (by location, status, etc.)
>> When dealing with individual patrons, I'm assuming that we
>> need to authenticate in order to respect (or at least
>> acknowledge) their right to privacy. (how much privacy with
>> email is a different thread)
>>
>> Could any/many of the different classes of RSS readers deal
>> with a standard web authentication scheme? standalone?
>> embedded in email clients? embedded in browsers?
>>
>> Walter Lewis
>> Halton Hills
>>
>