CGI/Perl Guide | Learning Center | Forums | Advertise | Login Site Search: in Perl Guide PerlGuru Forums Learning Ctr

	MAIN INDEX	SEARCH POSTS	WHO'S ONLINE	LOG IN

Home: Perl Programming Help: Intermediate: Password protection without .htaccess

fishfork Novice Aug 8, 2000, 1:40 PM Post #1 of 3 (175 views) Password protection without .htaccess Can't Post Hi I need to write an online system that works a bit like Yahoo! e-mail and I'm having trouble with password protection. I need something fairly secure (like .htaccess) but with a form interface. The only way I can think of doing this is protecting the site with .htaccess then using a setuid script to fetch out pages for authorised users (authorisation using a cookie). There must be a better way??? How do Yahoo! do it? (I'm interested in the concept rather than code).

Kanji User Aug 8, 2000, 4:10 PM Post #2 of 3 (175 views) Re: Password protection without .htaccess [In reply to] Can't Post I'm not sure why you think a setuid script will gain you anything (usually you want to give CGIs and the like as few permissions as possible), but see the Password Protection of TPA's CGI/Perl guide for various implementations along this theme. On a higher level, you would want something like the following pseudo code on every page you want protected ... <BLOCKQUOTE><font size="1" face="Arial,Helvetica,sans serif">code:</font><HR> if has auth_cookie and auth_cookie is valid show page else set url = current url CHECK PASSWORD { set password = prompt user if password is not valid repeat CHECK PASSWORD else continue endif } set auth_cookie = valid redirect to $url endif</pre><HR></BLOCKQUOTE>

fishfork Novice Aug 9, 2000, 3:24 AM Post #3 of 3 (175 views) Re: Password protection without .htaccess [In reply to] Can't Post I've solved my own problem. (Having searched for 'password' in these forums and read about every result). CGI scripts completely ignore .htaccess hence the following scheme is possible. Protect the data directory using .htaccess. Only you know the password so it is secure. chmod the directory to 777. Now write a CGI script that will open and read files in the protected directory, the files it will read depends on the user. You have to be very careful to use absolute paths and to check input for unix meta characters, and .. to avoid hackers, but as the script is running as the nobody user (not setuid as I originally thought) it is inherently safer. A Yahoo! mail style login can set a cookie to maintain state, and if necessary a session file can be created for the user. Great.

Announcements     PerlGuru Announcements Perl Programming Help     Frequently Asked Questions     Beginner     Intermediate     Advanced     Regular Expressions     mod_perl     DBI     Win32 Programming Help Fun With Perl     Perl Quizzes - Learn Perl the Fun Way     Perl Golf     Perl Poetry Need a Custom or Prewritten Perl Program?     I need a program that...     I Need a Programmer for Freelance Work     Throw Down The Gauntlet General Discussions     General Questions     Feedback     Tutorial/Article Suggestions for The Learning Cent     Internet Security Other Programming Languages     Javascript     PHP

Search this forum this category all forums for All words Any words Whole Phrase (options)

Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives