CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Intermediate:
Password protection without .htaccess

 



fishfork
Novice

Aug 8, 2000, 1:40 PM

Post #1 of 3 (354 views)
Password protection without .htaccess Can't Post

Hi
I need to write an online system that works a bit like Yahoo! e-mail and I'm having trouble with password protection.

I need something fairly secure (like .htaccess) but with a form interface.

The only way I can think of doing this is protecting the site with .htaccess then using a setuid script to fetch out pages for authorised users (authorisation using a cookie).

There must be a better way???
How do Yahoo! do it?
(I'm interested in the concept rather than code).


Kanji
User

Aug 8, 2000, 4:10 PM

Post #2 of 3 (354 views)
Re: Password protection without .htaccess [In reply to] Can't Post

I'm not sure why you think a setuid script will gain you anything (usually you want to give CGIs and the like as few permissions as possible), but see the Password Protection of TPA's CGI/Perl guide for various implementations along this theme.

On a higher level, you would want something like the following pseudo code on every page you want protected ...

<BLOCKQUOTE><font size="1" face="Arial,Helvetica,sans serif">code:</font><HR>

if has auth_cookie
and auth_cookie is valid
show page
else
set url = current url


CHECK PASSWORD {
set password = prompt user


if password is not valid
repeat CHECK PASSWORD
else
continue
endif
}


set auth_cookie = valid


redirect to $url
endif</pre><HR></BLOCKQUOTE>


fishfork
Novice

Aug 9, 2000, 3:24 AM

Post #3 of 3 (354 views)
Re: Password protection without .htaccess [In reply to] Can't Post

I've solved my own problem. (Having searched for 'password' in these forums and read about every result).

CGI scripts completely ignore .htaccess hence the following scheme is possible.

Protect the data directory using .htaccess. Only you know the password so it is secure.
chmod the directory to 777.

Now write a CGI script that will open and read files in the protected directory, the files it will read depends on the user.
You have to be very careful to use absolute paths and to check input for unix meta characters, and .. to avoid hackers, but as the script is running as the nobody user (not setuid as I originally thought) it is inherently safer.

A Yahoo! mail style login can set a cookie to maintain state, and if necessary a session file can be created for the user.

Great.

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives