Password Authentication Module

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Is there a commonly-used way to password-protect a CGI program other than using a .htaccess file? I have written a Perl program to update a MySQL database. Authorized, non-technical users will be the users. Because maintaining .htaccess files is a bit of a pain (no easy way to change or reset passwords), I'd like to try something different.

I'm hoping that there's a well-support Perl module that I could use in my code to handle this. There are a gazillion encryption modules on CPAN, but I haven't stumbled across something specificly for this type of thing. Any suggestions?

This will run on a Sun Solaris box. The users do not have Unix accounts.

(P.S. On a completely unrelated topic, can anyone tell me why, whenever I click a link on perlmonks.org, I get logged out? I'm using IE 5.5 on a Win98 box, and cookies are enabled.)

Comment on Password Authentication Module

Replies are listed 'Best First'.
Re: Password Authentication Module by cjf (Parson) on Jul 02, 2002 at 21:24 UTC
.htaccess files is a bit of a pain (no easy way to change or reset passwords) Have you tried using Apache::Htpasswd before? There's a review and some example code on this site if you're interested. Authentication and CGI should be of some assistance as well.	[reply]
Re: Password Authentication Module by Zaxo (Archbishop) on Jul 02, 2002 at 23:04 UTC
By adding support for auth groups, you can avoid frequent rewrites of your .htaccess file, along with keeping it short. `# in .htaccess AuthType basic AuthDBMGroupFile /path/to/.htpasswd AuthDBMUserFile /path/to/.htpasswd require group user,admin` [download] This is set up to use a single User- and GroupFile. Add a colon and a comma seperated list of auth groups to the crypted password entry in .htpasswd. I've assumed mod_auth_dbm here. See the Apache docs for details. After Compline, Zaxo	[reply] [d/l]
Re: Password Authentication Module by jjohn (Beadle) on Jul 03, 2002 at 01:40 UTC
Is there a commonly-used way to password-protect a CGI program other than using a .htaccess file? I have written a Perl program to update a MySQL database. Authorized, non-technical users will be the users. Because maintaining .htaccess files is a bit of a pain (no easy way to change or reset passwords), I'd like to try something different. If you let Apache do the authentication and authorization, your CGI app has a lot less to think about and is generally going to run faster (always a plus when dealing with vanilla CGI). Apache can be made to use DBM files and even MySQL tables instead of flat text files. The Apache module that uses MySQL tables is mod_auth_mysql The problem with this approach is that everytime a user wants a restricted page, the auth/authz phase has to frob the DB server again. If you have a busy site, this will become a bottleneck for you. At that point, you should look into a ticket-based authentication system that only queries the DB once per session and uses HTTP cookies for authentication in subsequent requests. There is a mod_perl solution available on CPAN that I recommend for this very purpose called Apache::AuthCookie. In general, if Apache gives you functionality for free, it's best to figure out how to leverage that. Not only will you get better performance, you're likely to encounter fewer bugs (freeing you to create new ones in your own code :-).	[reply]
Re: Password Authentication Module by tomhukins (Curate) on Jul 02, 2002 at 21:23 UTC
If you type CGI authentication into the search box found at the top of each page, you'll some useful information. Please check to see if your question has been discussed previously before posting.	[reply]