This is slightly more complicated than it seems.

A login form's role is to _authenticate_ a user as one trusted to use resources behind the web form. The next step is to check whether a logged in user to is _authorized_ to access a particular resource. As your applications grow, you may find that some legitimate users should have access to some functions that should not be made available to others.

You'll need a way to secure the connection over which the authentication (and any subsequent transmittal of private data) takes place. And a way to preserve the session, that is, to know that the next http request from your authenticated and authorized user is just as legitimate as the last one.

I'm still experimenting with what approach I find easiest to work with.

For secure connections, I use apache-ssl for its encrypted connections. I earlier rejected the apache .htaccess methods suggested by another responder because it passes plain text tokens in the clear, before creating the ssl connection. I prefer my login screens protected by encryption. If the data is really worth protecting, then there is no sense in exposing it to the vulnerability of snooped passwords on the login screen.

For similar reasons, I mistrust cookies and hidden form values as they expose your session management to user manipulation. While I'll pass a token back and forth, it would not contain anything other than the session ID. Where security matters, I would choose to store all other session data on the server, related to the session ID.

My latest experiment with a secure login front end to a multi-function cgi script starts out:

use DBIx::UserDB;
use DBIx::SearchProfiles;
use CGI qw(:standard);
use CGI::SecureState;
use CGI::Carp qw(fatalsToBrowser);
use WWW::Authenticate_he;

[download]
WWW::Authenticate_he is my adaptation of WWW::Authenticate. I'd suggest you check out the DBIx modules listed above, as well as CGI::SecureState and WWW::Authenticate. Those just may prove useful to you.

-- Hugh

In reply to Re: Perl/CGI login by hesco
in thread Perl/CGI login by muclc7

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.