This has come up periodically over the years and so I’m going to take a bit more technical look at it. I blogged last week about rethinking your contract so that you can leverage remote access in times when your physical library access is restricted. There are a couple of ways that law libraries can create authenticated connections to legal publisher sites. You do not need a lot of technology knowhow to do this. This post will offer a mix of technical and non-technical solutions and revolves around referral pages.
Before I dive in, the idea I’m focused on is this: forwarding authenticated users to a legal publisher site. The goals are:
- utilize a law library-controlled database of usernames and passwords for members (dues paying individuals, regulated professionals, whatever your organization uses)
- have them use law-library controlled credentials to authenticate themselves.
- pass them to the legal publishing platform so they can do their research.
You can do this simply by paying money to OCLC and running an EzProxy instance. But there are law libraries that cannot afford that option. I’m also not convinced it’s the best option for a membership- or subscription-focused law library. Proxies can be a great option for academic libraries or libraries, like ours, that have large membership communities. Law firm libraries can use an internet-exposed login system like SharePoint.
If you are in a law firm, you should read Blank Rome’s Andre Davison on using SAML and single-signon for research databases. Law firms will have tools that can streamline password and access management that other law libraries probably can’t leverage.
Referral URLs
The functionality revolves around what’s known as a referral URL. When you visit a web site, you tell it where you came from. From an analytics perspective, it’s useful to know who is sending you visitors. Here’s a snapshot of recent referrers in alpha order to this blog:
This is also captured in a log file. I mention this both for clarity and also because you may need to eventually access your site log files if you are troubleshooting. The log file stores interactions with your web site. Here are two lines from my log this morning. It shows news reading tools – inoReader and the commercial Manzama crawler – hit my feed. I’ve marked the referral URLs in bold. The referral url for the inoReader link is my home page (https://ofaolain.com). The Manzama one is blank, and rendered as a dash.
92.247.181.17 - - [28/Jun/2020:00:14:45 -0400] "GET /feed/ HTTP/1.1" 200 22388 "https://ofaolain.com/" "Mozilla/5.0 (compatible; inoreader.com; 4 subscribers)" 35.192.145.153 - - [28/Jun/2020:00:15:03 -0400] "GET /feed/ HTTP/1.1" 200 22388 "-" "Mozilla/5.0 (Compatible; Manzama/20170301 http://manzama.com)"
Any web site can capture this information about its visitors. We have used this approach with our legal publishing vendors for resources that are in-library but not IP-authenticated. If you don’t have a static IP for IP authentication, this can be a way to work around that limitation without creating a slew of accounts.
Your goal is to make sure that your authenticated researchers are hitting the legal publisher’s site from a specific, secure URL. Once you have that set up, the legal publisher can make a change on its server to accept incoming visitors from that secure page, without requiring a password or IP authentication. You are taking on the authentication yourself.
The Authentication Details: Code
This is the greater challenge It will depend on the technology your law library uses. The good thing is that it tends to be set and forget. In Ohio, we used an Access database that we uploaded to our Microsoft web server. We used two web pages for the process side: one was the login page and one wasn’t. If the person logged in, the second page would display the research links. If the person didn’t log in, they were flipped back to the login page.
If you don’t even want to contemplate the coding part, skip ahead.
This link will tell you your referrer (which should be this page). I got the code here and cut and pasted it into the legal-publisher.php file that is linked in the previous sentence. Here’s the whole page:
<?php
$referer = $_SERVER['HTTP_REFERER'];
echo "Your referral page was: $referer";
?>You may ask yourself, how do I work this? Create an empty text file, paste the code in it, and make sure the file ends in .php. When you put it on a web server, it will run the code. It won’t work by just opening a file in your browser from your hard drive. You can paste in regular HTML too, and that will render like a normal web page. In other words, you don’t need a lot of coding knowledge to do something with PHP.
But as the source where I got the code from says, you can’t always be sure that the referrer is set properly. I’m not sure if this is true if you’re handling it on your own site or not. So the second page usually tests for authentication. Again, the PHP code comes from that other site. Your login page (page-one) has:
<?php
//page-one.php
session_start();
$_SESSION['page_one'] = time();
?>and your resources page (page-two) has something that verifies a successful login:
<?php
//page-two.php
session_start();
//Check to see if session variable exists.
if(!isset($_SESSION['page_one'])){
//Does not exist. Redirect user back to page-one.php
header('Location: page-one.php');
exit;
}
?>In our situation in Ohio, the resources page verified a login using VBScript, a language that works on Microsoft Internet Information Servers (and is now more than a decade old). The login page could set a cookie so that members didn’t have to type in their login each time.
The login page forwarded the username and password and this page checked it for verification. Here’s some of the code from the login form:
Session("Member") = True
firstname= Rs.fields("fname")
lastname= Rs.fields("lname")
borrowerno = CStr(Rs.fields("borrower"))
Response.Redirect("mo.asp?firstname=" + firstname + "&lastname=" + lastname + "&borrower=" + borrowerno +"&ftos=" + ftos + "")
End If
That last line forwarded the relevant user information to the second page, the resources page. I’m not a fan of passing the information in the URL like this but it was what we had at hand. It helped that none of this was personal information; the borrower code was a library card number we created.
One way we attempted to make our law library sticky with members was to use library cards. So we had a unique identifier for each lawyer. It was unique as a password and it also helped us to understand who was using our remote access services.
The information in the URL was parsed by the second page and then the page was displayed if appropriate. If not, the person was returned to the login page. Using this approach also allowed us to display different resources depending on the researcher. Premium tier? Solo versus large firm? It allowed for segmentation of our membership in how we provided resources.
<%
If Session("Member")<>True Then
Response.Redirect("login.asp")
Else
dim qLastname, qBorrower, qTOS
If Request.QueryString("lastname") <> "" Then
qLastname = Request.QueryString("lastname")
qBorrower = Request.QueryString("borrower")
qTOS = Request.QueryString("ftos")
ElseIf Request.Cookies("LName") <> "" Then
qLastname = Request.Cookies("LName")
qBorrower = Request.Cookies("PasswordCookie")
qTOS = Request.Cookies("TOS")
Else
Response.Redirect("login.asp")
End If
set lawlibConn = Server.CreateObject("ADODB.Connection")
lawlibConnFilePath = Server.MapPath("law-library-membership.mdb")
lawlibConn.Open "Provider=Microsoft.Jet.OLEDB.4.0;" & "Data Source=" & lawlibConnFilePath & ";"
' Set Rs = lawlibConn.Execute("SELECT * FROM your_db WHERE lname='" & Request.QueryString("lastname") & "' AND borrower =" & Request.QueryString("borrower"))
Set Rs = lawlibConn.Execute("SELECT * FROM your_db WHERE lname='" & qLastname & "' AND borrower =" & qBorrower)
End If
%>
[The rest of your web page goes here. It can be HTML or more VBscript, the page filename needs to end in .asp, and needs to be placed on a Microsoft IIS server in order to work properly]
The first part grabs the information passed over from the login form. The next part checks for the details. The line in bold throws the visitor who doesn’t login properly back to the login page.
I wouldn’t do it this way now. The world of secure platforms has changed so much that I think there are better options. But I’m including the code just in case anyone would prefer to roll their own or to play around with the code.
The better option, I think, is to use a tool that takes care of the login for you.
The Authentication Details: No Code
If your law library uses a content management system or blog like WordPress, you may have all you need. CMS come with authentication schemes built in. If you were to consider all of your members as, in the WordPress nomenclature, subscribers, then you can create private pages already.
This mostly impacts public-facing law libraries. A law firm with an intranet will not need any of these workarounds. A SharePoint site that lawyers and staff can log into will work just as well for the authenticated step, whether it is inside a firewall or not. I’m not as certain about the referral URL that would come out of Microsoft 365.
In this case, you wouldn’t have to worry about additional code or proxy tools. You could build a subscriber-only page of e-resources and manage that. The referral URL the legal publisher intercepts would be the URL of that page.
This is the service EZProxy and other proxies provide. They create and manage a database of users and can provide options on how to get the researcher to the final destination. If you are a membership library, though, you may already have a database of membership information. Uploading that database using a WordPress plugin may be simpler and cheaper than licensing a proxy service.
There are also membership management plugins for WordPress, so you could still do some market segmentation. If you have resources that are premium (members pay more) or based on context (only licensed for solos, for example), you’ll need more than base WordPress. But it can still be done for free.
The benefit of using a tool that you’re already using is that it eliminates a lot of the technical overhead. The benefit of keeping your membership data on your own platforms is that you don’t have to worry about member privacy (with proxies) or them being subject to marketing from the publishers (if you create accounts on the publishers’ site).
Remote access is an asset for any law library. We are all experiencing foot traffic pressure and the need to deliver resources over larger geographical spaces. The pandemic has shown we can’t rely on always having access to our physical space. If you haven’t started contemplating a remote access option, there’s never been a better time to start.