Hi pcc88mxer, Thanks a lot for the reply. I do not quite understand how to defer printing the header after I have checked the user info. Could you kindly elaborate? Without the header at the beginning (before the HTML block), the server is throwing an error and the page is not being created. How do I make the redirect go to HTTP header (so that I can use it instead of q->header(...))? I am sorry.. but I am really new to all this. Thanks and regards, Ken

You'll either do the redirect or you print the header and emit an HTML page:

use CGI;
...
$q = new CGI;

my $login_ok = check_login($q);

if ($login_ok) {
    $q->redirect(...);
} else {
    $q->header(...);
    # emit html page
}
[download]

Move the code that checks for the user's credentials before the code that prints anything.

What stops a user from directly going to http://localhost/cgi-bin/librarian.cgi?

You check for a valid user + password combination in your script and once you reach the other pages, how do these scripts know the user is valid and allowed to reach these pages?

Usually this is done through session-management and cookies and many modules exist that already implement this. Have a look at CGI::Session in that respect.

And while your are looking at modules, CGI::Auth or CGI::Session::Auth may just do what you are trying to achieve!

Perhaps you are trying to re-invent a web-framework and then modules such as Catalyst or CGI::Application are what you are looking for?

Hi Countzero, Your points are very valid and I understand that I need something far more robust to actually restrict access to librarian.cgi. However, I have just started learning CGI/DBI and I want to figure out how to do a simple redirect, which somehow I cannot accomplish even after 6 hours of googling. Thanks and regards, Ken

That's because you've all ready printed html.

Try something like this:

my $q = CGI->new();
if( $q->param() ) {
  # call validate routine
} else {
  # call display login routine
}
[download]

<form name = "login" action = "loginpage.cgi " method = "GET">

Just another side remark.  It's generally better to use the POST method to submit forms that are transmitting sensitive information like passwords etc.  With POST, the info will not be part of the URL (such as loginpage.cgi?username=ken&password=secret&...), as it's the case when using GET, thus reducing the likelihood that passwords will end up in logfiles of webservers, proxies, etc... (yes, I've noticed you're using cache_control, but those directives are more of an advisory nature, ultimately).

It's bad enough already that (with HTTP) the entire traffic goes over the wire in the clear anyway, but you certainly don't want passwords to be stored persistently in logfiles... for the unsuspecting admin to stumble across inadvertently :) — remember that people often use the same password in multiple places, so knowing one might compromise more than this immediate web resource.

#notice single quotes
print $q->redirect(-uri => 'http://localhost/cgi-bin/librarian.cgi');
[download]

Thanks zentara but that suggestion did not make a difference. Regards, Ken

Have you tried the print Location trick? Although I think it falls into the same boat as the header discussion by others.

#!/usr/bin/perl

$url1 = 'http://zentara.zentara.net';
$url2 = 'http://zentara.zentara.net/~zentara';

if ($ENV{'HTTP_USER_AGENT'} =~ /Mozilla/
and not $ENV{'HTTP_USER_AGENT'} =~ /compatible/i ) {
print "Location: $url1\n\n";
} else {
print "Location: $url2\n\n";
}
[download]

---

I'm not really a human, but I play one on earth. Cogito ergo sum a bum