user authentication

kisaruku has asked for the wisdom of the Perl Monks concerning the following question:

I'm relatively new to perl, so not sure about all the options. I'm building a cgi system, and am trying to figure out what is the best method for user authentication. The system has only one cgi that takes requests and dynamically finds and executes the methods available.

I would like the system to allow anyone to use certain methods, but require authentication for using others. I only want it to request authentication when a user attempts to use one of the protected methods.

The system has to be portable and it can make no assumptions about the webserver except that cgi and perl are available. So I don't think http's WWW-Authenticate is available. I would also like to avoid cookies if possible.

Any ideas or information? Thanks.

Comment on user authentication

Replies are listed 'Best First'.
Re: user authentication by freddo411 (Chaplain) on Jun 15, 2004 at 19:05 UTC
You've opened the can of worms on a fairly complex subject. I Highly recommend that you structure your code using CGI::Application and that you make use of CGI::Session::Auth to create persistant authentication sessions. Note that this uses cookies (why wouldn't you?) Using cookies is the standard way to store pointers to persistant information. If you simply wish to pop a username/passwd challenge for each CGI invocation, as noted above you can do this. Keep in mind you'll still have to write (or borrow) code to solve the problems of authenticating/storing the name/passwds. CPAN is your friend. goodluck. ------------------------------------- Nothing is too wonderful to be true -- Michael Faraday	[reply]
Re: user authentication by Juerd (Abbot) on Jun 15, 2004 at 18:51 UTC
what is the best method for user authentication That depends on what you need. If you need security, SSL (https) fixes those things outside of the programming language, allowing you to focus on the easier things. One easy way to implement authentication is HTTP Basic authentication. This usually generates a dialog window that asks the user for username and password. The biggest drawback is that there isn't an easy and solid way to log out: a user stays logged in for as long as the browser remembers the password, which is usually as long as the browser has a window open. If that is a problem, cookies + sessions are probably what you're looking for. In that case, you'll have to do a lot more. Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }	[reply]
Re^2: user authentication by matija (Priest) on Jun 15, 2004 at 20:07 UTC
It's not hard to log out the user at all: Just return the status code `RC_UNAUTHORIZED (401)` and most browsers will forget the username/password combination.	[reply] [d/l]
Re^3: user authentication by Juerd (Abbot) on Jun 15, 2004 at 20:13 UTC
Just return the status code RC_UNAUTHORIZED (401) and most browsers will forget the username/password combination. And prompt for a new one. Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }	[reply]
Re: user authentication by bradcathey (Prior) on Jun 15, 2004 at 19:56 UTC
A similar question was asked after this posting. Follow that thread as well. For a taste of what you will find if you SuperSearch, try this one. —Brad "Don't ever take a fence down until you know the reason it was put up. " G. K. Chesterton	[reply]