Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi all,
I am building a script where a member is required to log in, I am finding it difficult as I will have different pages in my members area and I don't know how to keep them logged in as they navigate through the different pages - I have done it like this:
member.pl
member.pl?page1

Now my problem is when the user goes from the main bit to 'page1' or wherever, how can I keep the user logged in and not let others access this area?

Many Thanks,

Jon

Edit - 2001-25-06 Masem - Added more descriptive title.

  • Comment on Newbie Question - Maintaining User Authenication Through Multiple Scripts

Replies are listed 'Best First'.
Re: Newbie Question
by Masem (Monsignor) on Jun 25, 2001 at 17:38 UTC
    You can do it in at least 2 ways: give the user a cookie when they log in, and only allow those that have a cookie to procedure to other pages, or use hidden fields that store some sort of session ID for the user. Both topics have been covered often here at PM, and you should be able to find more help using Super Search, as well as by reading merlyn's columns on web design.

    Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain
[reply]
Re: Newbie Question
by cacharbe (Curate) on Jun 25, 2001 at 17:43 UTC
    There are a number of ways to do this, and it isn't specifically a PERL question. Some of the answers will be platform dependant, as most webservers will allow you to control user access at the server level, and maintain your session info.

    You could use cookies that use time stamp info and some kind of GUID to track valid users w/ a back end Db maintaining all the info.

    You should probably take a step back and understand how these concepts work and work together. The answer might present itself.

    C-.

[reply]
Re: Newbie Question - Maintaining User Authenication Through Multiple Scripts
by sierrathedog04 (Hermit) on Jun 25, 2001 at 17:49 UTC
    Is there some reason why you are doing your own authentication instead of using the Basic authentication offered by Apache, Internet Information Server, Oracle Application Server, and most other web servers?

    If you were using Apache's Basic authentication then you would not need even to worry about this matter. There are also numerous third party authentication/encryption packages. I used to use Entrust from Canada. It also does your work for you, and goes well beyond the basic authentication offered by Apache.

[reply]
      But there is somre problems when user tries logout whe you use basic auth.
      you must send them autorization fail, user must click cancel ...

      best way is send cookie to user with timestamp and unique sessionID and store session in some database on your side or directly in file system (own choice):-)
      after each request read cookie update timestamp in cookie and timestamp in DB for sessionID.
      that system have some problems.
      1. you need garbage collector process or module to clear timeouted sessions :-)
      2. lots of space when time out is short :-)
[reply]
        I am not sure what that means. Yes, if a user tries to login using BASIC authentication and then changes her mind she will have to hit the cancel button on the login prompt. I cannot see that as a problem.

        Roll-your-own authentication with cookies frightens me. For one thing, there are security implications. If you are not careful then a clever user could read his own cookie and possibly modify it to become someone else. This whole endeavor seems like a reinventing a wheel when you could borrow a bicycle. Use built-in authentication (usually BASIC auth on Apache) unless there is some reason not to. Especially when the person who is rolling his own authentication calls himself a "newbie." Don't ask sixth graders to perform surgery on themselves, and don't ask newbies to write their own authentication modules.

[reply]
Re: Newbie Question - Maintaining User Authenication Through Multiple Scripts
by holygrail (Scribe) on Jun 25, 2001 at 18:06 UTC
    If you're trying to maintain the user authentication on an Apache webserver (where you would use .htaccess files, or some other way to force authentication), you can let the script query the $ENV{REMOTE_USER} to determine the name of the user that logged in.

    --HolyGrail
[reply]
[reply]

Back to Seekers of Perl Wisdom