Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi PerlMonks,

I have created a script which requires a user login, I use cookies to store the username and an MD5 string which is then checked whenever the script is called.

Now, I have receieved several requests from people who are interested in extending this user login to cover a 'client' type area of their site - the only way I can see this being done is by using the .htaccess/passwd files to control access form the web - but the question is, is there anyway that I can use my own client mysql db to authenticate and manage that, like collecting the username + password form their input and issuing a cookie for a succesfull login? Any thoughts welcome, thanks John

Replies are listed 'Best First'.
(Ovid) Re: Integrating Script with .htaccess
by Ovid (Cardinal) on Dec 05, 2001 at 00:31 UTC

    The main objection that I have to .htaccess files being used as authentication is that I know of no convenient way to time them out (I'd love to hear a rebuttal of that!!!). This can be a huge security hole.

    Second, unless you are using Digest Authentication (which is not widely supported), then the username and password are sent using Basic Authentication in what is essentially plain text. If you use this method, be sure to serve the pages via a secure connection and make sure that the cookies will only be returned over a secure connection.

    Cheers,
    Ovid

    Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

[reply]
Re: Integrating Script with .htaccess
by belg4mit (Prior) on Dec 05, 2001 at 00:33 UTC
    mod_perl with Apache::AuthenDBI sounds about right. Or if no mod_perl mod_auth_mysql, etc.

    UPDATE: Fixed typo s/DB/DBI/;

    --
    perl -p -e "s/(?:\w);([st])/'\$1/mg"

[reply]
Re: Integrating Script with .htaccess
by TomK32 (Monk) on Dec 05, 2001 at 00:32 UTC
    How about putting the scripts into this secured client area and then simply leave out your login code? It's kinda risky but should work. 
    --
package Lizard::King;
sub can { do { 'anything'} };

    [download]
[reply]
[d/l]
Re: Integrating Script with .htaccess
by Rhandom (Curate) on Dec 05, 2001 at 04:04 UTC
    Another option is to create your own htauth style thing. However, I think it requires a recompile of stock Apache. There is a -D option that allows you to let HT Authentication tokens be passed through in the the $ENV{HTTP_AUTHORIZATION} variable. Some may discourage this as it opens the submitted username and password up for viewing inside the script, but it is no less secure than what you were doing with cookies. The benefit of this is that you don't have to do mod_perl (you can, we have scripts to use it and some that don't that use the same login system). 

    package MyAuth;

sub Authorize {

  $ENV{HTTP_AUTHORIZATION}=~/^Basic (.*)/i ){
  my $up = $1 || '';
  my ($user,$pass)=split(/:/,BASE64_DECODE( $up ),2);

  if( db_query($user,$pass) ){
    $ENV{REMOTE_USER} = $user;
    return "success";
  }else{
    print "Status: 401 Authorization Failed\r\n";
    print "WWW-Authenticate: Basic realm=\"whatever\"\r\n";
    print "Content-type: text/html\r\n\r\n";
    print "Content to be displayed on a canceled login.";
    exit;
  } 
}

    [download]

    Then in your cgi put the following... 

    #!/usr/bin/perl
use MyAuth;
MyAuth::Authorize;
# below this line I am authorized
# do whatever else

    [download]

    You can even write a hybrid that does cookies if they have them, and htauth if they don't (we have a hybrid system that does just that).

    my @a=qw(random brilliant braindead); print $a[rand(@a)];

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom