swiftone has asked for the wisdom of the Perl Monks concerning the following question:

So, as mentioned elsewhere, I'm building a message base to integrate into the rest of the site. This requires that our users be authenticated. I dislike cookies, and they're a pain to debug, so I'm trying to avoid them. I'm currently looking at using the Apache module mod_auth_mysql. I know Perl can access the Remote user through %ENV. What is not clear is how trustworthy this is. (Actually, the whole .htaccess authentication method is not really explained...how does the server know which browser is which user? Is it trusting the IP, which we've been told we shouldn't trust?)

My questions are:

  1. Can I trust $ENV{REMOTE_USER} (to the extent anything can be trusted)
  2. Eventually I will grok mod_perl and convert the system over. Will $ENV{REMOTE_USER} still be available?
Thanks in advance

Replies are listed 'Best First'.
Re: Trusting Environment
by KM (Priest) on Sep 07, 2000 at 19:21 UTC
    Can I trust $ENV{REMOTE_USER} (to the extent anything can be trusted)

    Personally, I have never found a way to remotely spoof REMOTE_USER. Unless someone else has heard differently, I think it is trustworthy, since it is set based on the challenge/response of authentication. If someone is authenticated into a realm, I don't know how they could override the servers setting, unless you do something in your script (like $ENV{REMOTE_USER} = $user_input).

    Eventually I will grok mod_perl and convert the system over. Will $ENV{REMOTE_USER} still be available?

    Yes. If you are using a mod_perl module as your auth handler, it simply steps in the middle to handle the authentication process (ie, uses a db rather than a htpasswd type file). Also, there are mod_perl API's to get the value of REMOTE_USER directly from the server.

    Actually, the whole .htaccess authentication method is not really explained...how does the server know which browser is which user? Is it trusting the IP, which we've been told we shouldn't trust)

    The browser knows what username/password combo to send a given domain/realm combo. The server says "Hey, do I know you?", and the browser either says "Yes, here is my info" (after already authenticating) or "No, let me tell you" (after filling in a auth dialog box). It has nothing to do with IP, just the WWW-Authenticate part of the header a browser sends along when challenged (or in advance of being challened, when it (hopefully) knows it will be).

    Cheers,
    KM

[reply]
Re: Trusting Environment
by merlyn (Sage) on Sep 07, 2000 at 19:16 UTC
    REMOTE_USER can be trusted as long as you also ensure that no one else on the box can execute your script directly, either from the command line or from other CGI programs.

    If you are using mod_perl there's an API callback that gets you the same information stuffed into REMOTE_USER. In fact, you can even get the password used as well. {grin}

    -- Randal L. Schwartz, Perl hacker

[reply]

Back to Seekers of Perl Wisdom