in reply to Re: Re: cgi passwords
in thread cgi passwords

Ok,you're on the right track with the table structure, but there are still some concerns:
- you would need a way for automatic log out, something based on elapsed time. otherwise a user can be logged in forever.
- if the "logged in" flag is the only determinant of an authorized user, then when the user is logged in, a million other people can be using his/her username to access the site at the same time.
- if you are checking the status of the user on each page, how are you determining who the user is in the first place??
- you say your site is "a mix of html and cgi". well, yes, ALL interactive sites are a mix of html and cgi. what we need to know is what is generating the html and cgi - a html file (static) or a perl script (dynamic). In the case of a password-managed site, this is very important.

Basically this goes back to my suggestion before: you are going to have to use cookies to keep track of who the user is and/or his authorization status. Cookies can be set to expire, or will expire automatically. So it's better to either 1) store the username and crypted password as cookies and then verify it with each page view, or 2) go ahead and store the user's authorization status as a cookie. Remember, with perl there is always more than one way to do things, depending on your specific situation. You could always store the user's authorization status in your log file, but timestamp it and check the timestamp with each page view

You could also make use of values passed between page views to keep track of the user. These values are either passed in the url query string, (i.e. http://yoursite.com/cgi-bin/script.pl?user=jack) or in a hidden form element (input type=hidden name=user value=jack).

You say you have 2 authorized users. Is this always going to be 2, or at least this small a number? Do the other users have a password also, just less privileges? Or is it just the 2 that have a password? If it is just the 2, then forget the oracle database. Just use a text file or tie a hash to a DB database to store your usernames and passwords. Just crypt them, though.

No, there are no programs that you can just plug-an-play into your site because, as you can see, a password system like you want has to be intertwined into your site. Although someone may have written a module which takes care of the cookies and authentication.

Or, consider Masem's suggestion above, seeing that you only have 2 users.This is the closest thing to a plug-and-play solution. Even some web hosts allow the authentication he is talking about. He is referring to a server authentication method where if a user accesses a page within a secured directory, a username/password box pops up on the screen. A correct password lets the user in the directory. You might be able to direct an incorrect password to another file or directory. But you would have to restructure your site to work with this. All stored usernames and password would have to be entered manually, unless you have control of your server....

My suggestion, if you don't want to take on a huge project: Just add a password box to each form and go ahead and display the forms for everybody. If the user has the correct password, he can alter the database. If he doesn't, then he can't alter the database.

In Section Seekers of Perl Wisdom