LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   Password Protection In CGI (https://www.linuxquestions.org/questions/programming-9/password-protection-in-cgi-188793/)

amit_28oct 06-02-2004 07:34 AM
Password Protection In CGI
 
Sir,

I am using Redhat 9, Perl 5.8.0
My problem is that I want to create password protected pages in CGI.
I tried .htaccess but it is for directory level security. In my project I can assign each user access on per file basis. I think this could be solved using 'session variables' but I don't know how to do that in cgi (I know how to do it in ASP). I tried using Remote_user env variable. But how to make this value pretain to all pages.
In short what I want to do is
1. User will encounter login page first.
2. I am storing user name password in mysql table.
3. If user name password r correct user will login.
4. Each user have unique user_id.
5. I just want to pass this id to every page.(using session variables)
6. Every program also has unique program id.
So I will then check that perticular use has access to that program_id or not.

So my problem is on step 5.
Can u pls help.
Regards
Amit

smaida 06-02-2004 01:38 PM
Hello,

You may want to look at http://cpan.uwinnipeg.ca/module/Apache::Session

It is built for mod_perl but works with CGI as well. You can use the module to track users with cookies.

Hope that helps.
Shawn

amit_28oct 06-02-2004 11:11 PM
Thanks for replying shawn
I will check that url.
But in the mean while can u pls tell

Is it safe to use cookies ?
Do all browsers support cookies ?
What if someone disabled cookies ?
Can't I use session variables in CGI ?
Should I use hidden fields ?

Regards
Amit

amit_28oct 06-03-2004 04:04 AM
I looked at http://cpan.uwinnipeg.ca/module/Apache::Session
as told by shawn. I also tried http://cpan.uwinnipeg.ca/htdocs/Apac...ion/MySQL.html
but when I tried the following code.

#! /usr/bin/perl
use Apache::Session::MySQL;

my %session;

#make a fresh session for a first-time visitor
tie %session, 'Apache::Session::MySQL';

#stick some stuff in it
$session{visa_number} = "1234 5678 9876 5432";

#get the session id for later use
my $id = $session{_session_id};

#...time passes...

#get the session data back out again during some other request
my %session;
tie %session, 'Apache::Session::MySQL', $id;

&validate($session{visa_number});

#delete a session from the object store permanently
tied(%session)->delete;
---------------------------------------------------------------
It gave me following error
Can't locate apache/session/mysql.pm in @INC (@INC contains: /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 .) at session.cgi line 2.
BEGIN failed--compilation aborted at session.cgi line 2.
[root@amitkhatri cgi-bin]# cd /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/Bundle/DBD
----------------------------------------------------------------------------------
Then I did
locate mysql.pm
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/Bundle/DBD/mysql.pm
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/DBD/mysql.pm

I copid the file mysql.pm
from
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/Bundle/DBD/mysql.pm
to
/usr/lib/perl5/5.8.0
-----------------------------------------------------------------------------------
and compiled that code again.
But it gave me the same error.
my program name is session.cgi.
I gave command

perl session.cgi

should i download some another mysql.pm ?
or their is some mistake in my code ?

Pls Help
Amit

smaida 06-03-2004 10:23 AM
It look as though you do not have Apache::Session::Mysql installed

In genreal whenever you see a perl error like:
Can't locate apache/session/mysql.pm in @INC

The module will be formed as Apache::Session::Mysql


You should be able to see if it is installed using:

#locate Apache/Session
/usr/local/share/perl/5.8.4/Apache/Session/MySQL.pm

you can install it using cpan.

cpan -i Apache::Session::MySQL

but I think just
cpan -i Apache::Session will install it as well.





Shawn

amit_28oct 06-04-2004 03:21 AM
Thanks Again shawn.

I will try installing it as u told.
& then I will update u.

Regards
Amit

The_Nerd 06-05-2004 02:10 PM
Hey amit_28oct, why don't you just pass the user ID every time you start a CGI script? As follows:

http://www.myserver.com/cgi-bin/getf...i?UserID=12346

Then just retreive it when you need it... That is, just have your cgi script build the web page, or frame it, then all the links to CGI could have the right ID.

amit_28oct 06-24-2004 12:54 AM
Hello friends,
Sorry for not replying.
Actually I was out of station for last 15 days.
The problem with the solution told by The_nerd is that their will be no security if anyone get to know some other persons user_id.
what u think about this

regards
amit

smaida 06-24-2004 02:22 AM
Here is a small part of an old program that uses cookies to track users. The information is stored in mysql and I simply call the check_user sub every time the user navigates to a new page. I am sure that are better and faster ways, but this works. I have been using Apache::AuthCookie and Apache::AuthCookieDBI lately; I think they are only for mod_perl… but I am not 100% on that.



Code:

#################################################
#      We need to get the user cookie values                  #
#################################################

my $pass = $q->cookie('pass');
my $user = $q->cookie('user');

%Cookies = (
  pass => $pass,
  user => $user
);

#################################################
#      Check to Verify User                    #
#################################################

sub check_user
{
  if ((! $Cookies{'user'}) || ($Cookies{'user'} eq ""))
  {
    $ignore =1;
    section("login");
  }

  my $statement = qq|SELECT * FROM staff WHERE username = "$Cookies{'user'}"|;
  my $sth = $dbh->prepare($statement) or die_nice("Couldn't prepare statement: $DBI::errstr; stopped");
    $sth->execute() or die_nice("Couldn't execute statement: $DBI::errstr; stopped");
    while(my $ref = $sth->fetchrow_hashref())
    {
      $username = $ref->{'username'};
      $rkey = $ref->{'rkey'};
      $usertype = $ref->{'usertype'};
      $password = $ref->{'password'};
    }

    $template{'username'} = $username;

    my $md5 = Digest::MD5->new;
        $md5->reset;

    my $yday  = (localtime)[7];
    my @ipa    =  split(/\./,$ENV{'REMOTE_ADDR'});
    my $startip =  $ipa[0] . $ipa[1];
    my $certif  =  $Cookies{'user'} . "pd-$rkey" . $ENV{'HTTP_USER_AGENT'} . $startip;
    $md5->add($certif);

    my $enc_cert = $md5->hexdigest();

    if($enc_cert eq $Cookies{'pass'})
    {
        $loggedin = 1;
    }
    else {
        $ignore =1;
        section("login");
    }
}








#======================================================#
#      Sub Section                                    #
#======================================================#

sub section
{
 $section = "@_";

 #====================#
 #    Login          #
 #====================#
 if ($section eq "login")
 {
    if (!$ignore)
    {
      check_user();

print "Location: $global{'baseurl'}/main.cgi?do=main\n\n" if $loggedin == "1";
    }

    my $forward = $ENV{'QUERY_STRING'};
    $forward =~ s/do\=login//gi;

    $template{login} = qq|
     
  [HTML LOGIN FORM IS HERE] 

      |;
 print "Content-type: text/html\n\n";              # Print header
 parse("tpl/login");                                          # Parse template file

 }


#====================#
 #    Pro_Login      #
 #====================#
 if ($section eq "pro_login")
 {
    $user = $q->param('username');
    $pass = $q->param('password');

    $statement = qq|SELECT * FROM staff WHERE username = "$user"|;
    $sth = $dbh-> prepare($statement) or die_nice("Couldn't prepare statement: $DBI::errstr;stopped");
    $sth->execute() or die "Couldn't execute statement: $DBI::errstr; stopped";
    while(my $ref = $sth->fetchrow_hashref())
    {
      $salt = $ref->{'rkey'};
      $cpass = crypt($pass, $salt);

      if ((!$user) || ($cpass ne $ref->{'password'})) {
          $error =1;
      }
      else{
          $username = $ref->{'username'};
          $password = $ref->{'password'};
          $usertype = $ref->{'usertype'};
      }
    }
    $error =1 if !$username;

    die_nice("Invalid username or password<br><a href=main.cgi?do=login>Back To Login Form</a>") if $error;

    if (@errors)
    {
      print "Content-type: text/html\n\n";
      @content = @errors;
      print @content;
      dbh->disconnect;
      exit;
    }

    my $md5 = Digest::MD5->new;

    my $yday    =  (localtime)[7];
    my @ipa    =  split(/\./,$ENV{'REMOTE_ADDR'});
    my $startip =  $ipa[0] . $ipa[1];
    my $certif  =  $user . "pd-$salt" . $ENV{'HTTP_USER_AGENT'} . $startip ;

    $md5->add($certif);
    my $enc_cert = $md5->hexdigest() ;
    my $set      = $q->param('set');

    $cookie1 = $q->cookie(-name=>'user',
                          -value=>$user,
                          -path=>'/',
                          -domain=>'');
    $cookie2 = $q->cookie(-name=>'pass',
                          -value=>$enc_cert,
                          -path=>'/',
                          -domain=>'');
    print $q->header(-cookie=>[$cookie1,$cookie2]);

    $forward =$q->param('forward') || "do=main";

    print qq|<html><p>&nbsp;</p><p>&nbsp;</p><meta http-equiv="refresh" content="1;URL=main.cgi?$forward"><p align="center"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><b>Thanks for logging in</b>, you are now being taken to the staff area</font><br><br><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><a href="staff.cgi?$forward">click here</a> if you are not automatically forwarded</font></p></html>
    |;
    exit;

 }
 #====================#
 #    Log Out                            #
 #====================#
 if ($section eq "logout")
 {
    check_user();

    $cookie1 = $q->cookie(-name => 'user',
                  -value => '',
                  -path => '/',
                  -domain =>'');

    $cookie2 = $q->cookie(-name => 'pass',
                  -value => '',
                  -path => '/',
                  -domain =>'');

    print $q->header(-cookie=>[$cookie1,$cookie2]);

    redirect("$global{'baseurl'}/main.cgi?do=login");


All times are GMT -5. The time now is 05:00 AM.