LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 06-02-2004, 07:34 AM   #1
amit_28oct
Member
 
Registered: Feb 2004
Posts: 31

Rep: Reputation: 15
Password Protection In CGI


Sir,

I am using Redhat 9, Perl 5.8.0
My problem is that I want to create password protected pages in CGI.
I tried .htaccess but it is for directory level security. In my project I can assign each user access on per file basis. I think this could be solved using 'session variables' but I don't know how to do that in cgi (I know how to do it in ASP). I tried using Remote_user env variable. But how to make this value pretain to all pages.
In short what I want to do is
1. User will encounter login page first.
2. I am storing user name password in mysql table.
3. If user name password r correct user will login.
4. Each user have unique user_id.
5. I just want to pass this id to every page.(using session variables)
6. Every program also has unique program id.
So I will then check that perticular use has access to that program_id or not.

So my problem is on step 5.
Can u pls help.
Regards
Amit
 
Old 06-02-2004, 01:38 PM   #2
smaida
Member
 
Registered: Apr 2004
Location: Richmond, VA - USA
Distribution: Debian
Posts: 62

Rep: Reputation: 15
Hello,

You may want to look at http://cpan.uwinnipeg.ca/module/Apache::Session

It is built for mod_perl but works with CGI as well. You can use the module to track users with cookies.

Hope that helps.
Shawn
 
Old 06-02-2004, 11:11 PM   #3
amit_28oct
Member
 
Registered: Feb 2004
Posts: 31

Original Poster
Rep: Reputation: 15
Thanks for replying shawn
I will check that url.
But in the mean while can u pls tell

Is it safe to use cookies ?
Do all browsers support cookies ?
What if someone disabled cookies ?
Can't I use session variables in CGI ?
Should I use hidden fields ?

Regards
Amit
 
Old 06-03-2004, 04:04 AM   #4
amit_28oct
Member
 
Registered: Feb 2004
Posts: 31

Original Poster
Rep: Reputation: 15
I looked at http://cpan.uwinnipeg.ca/module/Apache::Session
as told by shawn. I also tried http://cpan.uwinnipeg.ca/htdocs/Apac...ion/MySQL.html
but when I tried the following code.

#! /usr/bin/perl
use Apache::Session::MySQL;

my %session;

#make a fresh session for a first-time visitor
tie %session, 'Apache::Session::MySQL';

#stick some stuff in it
$session{visa_number} = "1234 5678 9876 5432";

#get the session id for later use
my $id = $session{_session_id};

#...time passes...

#get the session data back out again during some other request
my %session;
tie %session, 'Apache::Session::MySQL', $id;

&validate($session{visa_number});

#delete a session from the object store permanently
tied(%session)->delete;
---------------------------------------------------------------
It gave me following error
Can't locate apache/session/mysql.pm in @INC (@INC contains: /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 .) at session.cgi line 2.
BEGIN failed--compilation aborted at session.cgi line 2.
[root@amitkhatri cgi-bin]# cd /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/Bundle/DBD
----------------------------------------------------------------------------------
Then I did
locate mysql.pm
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/Bundle/DBD/mysql.pm
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/DBD/mysql.pm

I copid the file mysql.pm
from
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/Bundle/DBD/mysql.pm
to
/usr/lib/perl5/5.8.0
-----------------------------------------------------------------------------------
and compiled that code again.
But it gave me the same error.
my program name is session.cgi.
I gave command

perl session.cgi

should i download some another mysql.pm ?
or their is some mistake in my code ?

Pls Help
Amit
 
Old 06-03-2004, 10:23 AM   #5
smaida
Member
 
Registered: Apr 2004
Location: Richmond, VA - USA
Distribution: Debian
Posts: 62

Rep: Reputation: 15
It look as though you do not have Apache::Session::Mysql installed

In genreal whenever you see a perl error like:
Can't locate apache/session/mysql.pm in @INC

The module will be formed as Apache::Session::Mysql


You should be able to see if it is installed using:

#locate Apache/Session
/usr/local/share/perl/5.8.4/Apache/Session/MySQL.pm

you can install it using cpan.

cpan -i Apache::Session::MySQL

but I think just
cpan -i Apache::Session will install it as well.





Shawn
 
Old 06-04-2004, 03:21 AM   #6
amit_28oct
Member
 
Registered: Feb 2004
Posts: 31

Original Poster
Rep: Reputation: 15
Thanks Again shawn.

I will try installing it as u told.
& then I will update u.

Regards
Amit
 
Old 06-05-2004, 02:10 PM   #7
The_Nerd
Member
 
Registered: Aug 2002
Distribution: Debian
Posts: 540

Rep: Reputation: 32
Hey amit_28oct, why don't you just pass the user ID every time you start a CGI script? As follows:

http://www.myserver.com/cgi-bin/getf...i?UserID=12346

Then just retreive it when you need it... That is, just have your cgi script build the web page, or frame it, then all the links to CGI could have the right ID.
 
Old 06-24-2004, 12:54 AM   #8
amit_28oct
Member
 
Registered: Feb 2004
Posts: 31

Original Poster
Rep: Reputation: 15
Hello friends,
Sorry for not replying.
Actually I was out of station for last 15 days.
The problem with the solution told by The_nerd is that their will be no security if anyone get to know some other persons user_id.
what u think about this

regards
amit
 
Old 06-24-2004, 02:22 AM   #9
smaida
Member
 
Registered: Apr 2004
Location: Richmond, VA - USA
Distribution: Debian
Posts: 62

Rep: Reputation: 15
Here is a small part of an old program that uses cookies to track users. The information is stored in mysql and I simply call the check_user sub every time the user navigates to a new page. I am sure that are better and faster ways, but this works. I have been using Apache::AuthCookie and Apache::AuthCookieDBI lately; I think they are only for mod_perl… but I am not 100% on that.



Code:
 
#################################################
#       We need to get the user cookie values   		#
#################################################

my $pass = $q->cookie('pass');
my $user = $q->cookie('user');

%Cookies = (
   pass => $pass,
   user => $user
);

#################################################
#       Check to Verify User                    #
#################################################

sub check_user
{
  if ((! $Cookies{'user'}) || ($Cookies{'user'} eq ""))
  {
     $ignore =1;
     section("login");
  }

  my $statement = qq|SELECT * FROM staff WHERE username = "$Cookies{'user'}"|;
  my $sth = $dbh->prepare($statement) or die_nice("Couldn't prepare statement: $DBI::errstr; stopped");
     $sth->execute() or die_nice("Couldn't execute statement: $DBI::errstr; stopped");
     while(my $ref = $sth->fetchrow_hashref())
     {
       $username = $ref->{'username'};
       $rkey = $ref->{'rkey'};
       $usertype = $ref->{'usertype'};
       $password = $ref->{'password'};
     }

     $template{'username'} = $username;

     my $md5 = Digest::MD5->new;
        $md5->reset;

     my $yday   = (localtime)[7];
     my @ipa     =  split(/\./,$ENV{'REMOTE_ADDR'});
     my $startip =  $ipa[0] . $ipa[1];
     my $certif  =  $Cookies{'user'} . "pd-$rkey" . $ENV{'HTTP_USER_AGENT'} . $startip;
     $md5->add($certif);

     my $enc_cert = $md5->hexdigest();

     if($enc_cert eq $Cookies{'pass'})
     {
        $loggedin = 1;
     }
     else {
        $ignore =1;
        section("login");
     }
}








#======================================================#
#       Sub Section                                    #
#======================================================#

sub section
{
 $section = "@_";

 #====================#
 #    Login           #
 #====================#
 if ($section eq "login")
 {
    if (!$ignore)
    {
       check_user();

print "Location: $global{'baseurl'}/main.cgi?do=main\n\n" if $loggedin == "1";
    }

    my $forward = $ENV{'QUERY_STRING'};
    $forward =~ s/do\=login//gi;

    $template{login} = qq|
      
  [HTML LOGIN FORM IS HERE]  

      |;
 print "Content-type: text/html\n\n";               # Print header
 parse("tpl/login");                                           # Parse template file

 }


#====================#
 #     Pro_Login      #
 #====================#
 if ($section eq "pro_login")
 {
    $user = $q->param('username');
    $pass = $q->param('password');

    $statement = qq|SELECT * FROM staff WHERE username = "$user"|;
    $sth = $dbh-> prepare($statement) or die_nice("Couldn't prepare statement: $DBI::errstr;stopped");
    $sth->execute() or die "Couldn't execute statement: $DBI::errstr; stopped";
    while(my $ref = $sth->fetchrow_hashref())
    {
       $salt = $ref->{'rkey'};
       $cpass = crypt($pass, $salt);

       if ((!$user) || ($cpass ne $ref->{'password'})) {
          $error =1;
       }
       else{
          $username = $ref->{'username'};
          $password = $ref->{'password'};
          $usertype = $ref->{'usertype'};
       }
    }
    $error =1 if !$username;

    die_nice("Invalid username or password<br><a href=main.cgi?do=login>Back To Login Form</a>") if $error;

    if (@errors)
    {
       print "Content-type: text/html\n\n";
       @content = @errors;
       print @content;
       dbh->disconnect;
       exit;
    }

    my $md5 = Digest::MD5->new;

    my $yday    =  (localtime)[7];
    my @ipa     =  split(/\./,$ENV{'REMOTE_ADDR'});
    my $startip =  $ipa[0] . $ipa[1];
    my $certif  =  $user . "pd-$salt" . $ENV{'HTTP_USER_AGENT'} . $startip ;

    $md5->add($certif);
    my $enc_cert = $md5->hexdigest() ;
    my $set      = $q->param('set');

    $cookie1 = $q->cookie(-name=>'user',
                          -value=>$user,
                          -path=>'/',
                          -domain=>'');
    $cookie2 = $q->cookie(-name=>'pass',
                          -value=>$enc_cert,
                          -path=>'/',
                          -domain=>'');
    print $q->header(-cookie=>[$cookie1,$cookie2]);

    $forward =$q->param('forward') || "do=main";

    print qq|<html><p>&nbsp;</p><p>&nbsp;</p><meta http-equiv="refresh" content="1;URL=main.cgi?$forward"><p align="center"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><b>Thanks for logging in</b>, you are now being taken to the staff area</font><br><br><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><a href="staff.cgi?$forward">click here</a> if you are not automatically forwarded</font></p></html>
    |;
    exit;

 }
 #====================#
 #    Log Out		            #
 #====================#
 if ($section eq "logout")
 {
    check_user();

    $cookie1 = $q->cookie(-name => 'user',
                   -value => '',
                   -path => '/',
                   -domain =>'');

    $cookie2 = $q->cookie(-name => 'pass',
                   -value => '',
                   -path => '/',
                   -domain =>'');

    print $q->header(-cookie=>[$cookie1,$cookie2]);

    redirect("$global{'baseurl'}/main.cgi?do=login");
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Directory password protection scootz6 Linux - Security 2 03-25-2004 02:04 PM
apache password protection demicheru Linux - Software 2 02-25-2003 05:13 PM
password protection kushal Linux - Security 4 10-10-2002 09:33 PM
Password Protection TheSockMonster Linux - Newbie 1 05-27-2002 11:10 AM
IP & Password Protection karunesh Linux - Security 4 04-10-2002 02:57 PM


All times are GMT -5. The time now is 01:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration