Solved

Help needed with Member/Password

Posted on 1998-08-02
20
168 Views
Last Modified: 2013-12-25
Could somone please help me with creating a CGI script using C++ that allows a restricted access area?  I had help from faster a while ago, but he never got back to me when I had begun to understand what he was talking about.  


~Topace~
0
Comment
Question by:Topace
  • 8
  • 3
  • 3
  • +4
20 Comments
 

Expert Comment

by:ijduggan
Comment Utility
Is there a reason you want to use a script for this? Would it be possible to just set up
the access files on your webserver? What are you trying to accomplish, and what kind of webserver are you running on, and what kind of access (ftp, telnet, etc...) do you have to it?
0
 

Expert Comment

by:ijduggan
Comment Utility
Is there a reason you want to use a script for this? Would it be possible to just set up
the access files on your webserver? What are you trying to accomplish, and what kind of webserver are you running on, and what kind of access (ftp, telnet, etc...) do you have to it?
0
 
LVL 2

Expert Comment

by:SirCaleb
Comment Utility
This would be much easier with .htaccess and .htpasswd files...let me know if your still interested and I can help you set these up...they are very simple and easy to use...changing the password and login is simple too...these are encrypted and unbreakalbe.
0
 
LVL 1

Author Comment

by:Topace
Comment Utility
Well, I want to use a script because the server is not mine.  It is a Windows NT server, and would run fine ith EXE files.  I am not familiar with much else that C++ and some Javascript, and I KNOW javascript would not be secure.  If somone is willing to help me learn the language in order to code it another way, I would be willing to do that.

~Topace~
0
 
LVL 2

Expert Comment

by:SirCaleb
Comment Utility
You don't need access to the server....as long as you can create a directory in your Webspace you can do it....unless your site is at geocities or something..you should be able to create a directory...lemme know....
0
 

Expert Comment

by:crypticrod
Comment Utility
what do you mean actually by restricted "passwd" area ?

If you just want users to acess certain documents if the give a valid passwd , it is simple to implement using the forms concept
input type = password..
0
 
LVL 1

Author Comment

by:Topace
Comment Utility
Yes, I can create directories.  The server will allow EXE scripts.  

By restricted access area, I want the userm to input a User Name and password, and then depending on what they entered, allow them access to the next web page or not.

~Topace~
0
 
LVL 7

Expert Comment

by:faster
Comment Utility
Well, I have quite busy recently so did not visit this site very often, I can remember part of your problem, so what's the progress?
0
 
LVL 2

Expert Comment

by:SirCaleb
Comment Utility
TopAce....it is to hard to explain it in here....visit the following URL and it will explain how to do it.....

http://www.web-burza.com/webspan/password.html

This is your best option.  When the user tries to access protected files...he gets a prompt to enter a login and password, if the login fails he will get a big error message...if it succeeds, it will take him to what he is looking for....that person can then move from page to page or file to file in the password protected area without being prompted again..unless he closes his web browswer...
0
 
LVL 6

Expert Comment

by:alamo
Comment Utility
SirCaleb, if the web server is IIS (which most NT-based web servers are) then the .htaccess approach won't work, and in fact Topace either needs to use NT security (by restricting file rights so that only the desired users can access them) or else use the .exe approach as originally asked.

This is almost a FAQ here at EE, due to IIS' odd security approach.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:Topace
Comment Utility
No, I want it to be a FORM on a web page.  When the user fills out the form (Two fields, Member and password) it will determine if the membername and password are valid.  Then, if they are, it will take them to another (Possibly generated by the EXE script) html page.  I would like, if possible, the restricted access area to be secure.  By this, I mean I want any links while the user is "logged in" to not show an address, or if it does show an address, show the address of the CGI script.  Then when the user clicks the "logout" link, it will allow the address of HTML pages to be displayed in the Location field of their browser.  

Is it easier then it sounds?  I believe that it would be easier through EXE rather that the htpaccess or whatever.


~Topace~
0
 
LVL 6

Expert Comment

by:alamo
Comment Utility
>>I believe that it would be easier through EXE rather that the htpaccess or whatever.

If you can find such an .exe already written, and it suits your needs perfectly, then both the builtin server security and the form-based EXE approach are about the same difficulty to implement.

If not, and if you have to write or modify an existing EXE, then doing so is (very optimistically) an order of magnitude more difficult. You could use the builtin server security and have a secure area up in an hour, with a pop-up login rather than a form but with access to the pages / files secured. As to the exe approach - no it's not easier than it sounds, it's harder.

Unfortunately, if you are on IIS on NT and don't have the ability to add NT users and set up NT file rights, and don't have access to ASP, then the builtin server security isn't available to you. It's a tricky problem.
0
 
LVL 1

Author Comment

by:Topace
Comment Utility
No, I don't have access to the NT users.  Like I said, it isn't my server I am just using the space.  I want the user and password prompt to be in  a form rather than a popup, this is the reason I wanted to use a script.

~Topace~
0
 
LVL 1

Accepted Solution

by:
evilgreg earned 220 total points
Comment Utility
Okay, here's a C program to do that, with some caveats and notes:

*This program doesn't really care what the FORM INPUT's are - it just parses the first as the
username, and the second as the password.
<FORM METHOD="Post" ACTION="url_of_the_exe">
Name? <INPUT TYPE="Text" NAME="Username" SIZE=25>
<P>
Password? <INPUT TYPE="Password" NAME="Groucho" SIZE=25>
<P>
<INPUT TYPE="Submit">
<FORM>
In other words, "Username" and "Groucho" can be anything.

* I'm assuming your cgi program does not have access to local files (i.e. those that are not "world readable" by anyone with a browser). If it does have access, the actual storing of the
usernames and passwords can be done in a separate file.
* This is a fairly simple C file, and *should* compile on almost anything. Obviously, only you can compile it on your system.
* It's fairly simple, but should meet all of your requirements. If you need further help tweaking it, feel free to let me know.
* The program is set up with three example usernames and passwords: "Mike" and "truck", etc.
* Some of the early "defines" obviously should be replaced.
* It should be faily self-explanatory with the comments. Again, let me know if anything is not clear.

-Greg

/** PassThis.c -*-fundamental-*-
    Written by Greg Mullane <greg@turnstep.com>
    This program checks for username/password
**/

/** Maximum sizes for the input **/
#define MAXNAME 30
#define MAXPASSWORD 30

/** The URL of the form to call this program **/
#define GOODFORM "http://my.webserver/me/login.html"

/** The file that a person sees after entering the correct password: **/
#define GOODFILE "mylocalfile.html"

#include <stdio.h>
#include <strings.h>
#include <stdlib.h>

int GoodUser(char *name);

int main (int argc, char **argv) {

  char line[200];
  char name[MAXNAME];
  char password[MAXPASSWORD];
  int  clength;
  int  a,b,x,y,z;

  fprintf(stdout, "Content-type: text/html\n\n");
  fflush(stdout);

  /** Is this properly posted from a web page? **/
  if(!getenv("REQUEST_METHOD")) {
    return(1);
  }

  /** Is it a POST? **/
  if(!strcmp(getenv("REQUEST_METHOD"), "POST") &&
      getenv("CONTENT_TYPE") && !strcmp(getenv("CONTENT_TYPE"),
      "application/x-www-form-urlencoded") &&
      getenv("CONTENT_LENGTH")) {

    clength = atoi(getenv("CONTENT_LENGTH"));

    if (clength>200) { clength=200; }
    fgets(line, clength+1, stdin);    

    /** Parse the data into our fields: **/
    for(x=0, y=0, z=0, a=0, b=0; line[x] !='\0'; x++) {
      if (line[x]=='&') { z++; }
      if (line[x]=='=') { y++; }
      else {
        if (y==1 && !z) { /** Name **/
          name[a++]=line[x];
        }
        if (y==2 && z<2) { /** Password **/
          password[b++]=line[x];
        }
      }
    }
    name[a]='\0';
    password[b++]=line[x]; password[b]='\0';

    name[MAXNAME-1]='\0';
    password[MAXPASSWORD-1]='\0';    

    /** Now check the username and password against a list. **/
    /** It would be better in a file, but we'll build them in for now: **/
   
    /** Modify these as needed **/
    if (!strcmp(name, "Mike"        ) &&
        !strcmp(password, "truck"   )) { GoodUser(name); return(0); }

    if (!strcmp(name, "Greg"        ) &&
        !strcmp(password, "secret"  )) { GoodUser(name); return(0); }

    if (!strcmp(name, "Sarah"       ) &&
        !strcmp(password, "water"   )) { GoodUser(name); return(0); }
   
    /** No matches. Generate a message: **/

    fprintf(stdout, "<HTML><HEAD><TITLE>Sorry!</TITLE></HEAD>\n<BODY>\n");
    fprintf(stdout, "<H1>Oops!</H1>\n");
    fprintf(stdout, "<P>Invalid username/password. Please try again:\n");
    fprintf(stdout, "<A HREF=\"%s\">%s</A>\n</BODY></HTML>\n\n",
                    GOODFORM, GOODFORM);
    fflush(stdout);
    return(3);
  } /** end of if post **/

  /** If they got here, they did not POST correctly: **/

  fprintf(stdout, "<HTML><HEAD><TITLE>Wrong!</TITLE></HEAD>\n<BODY>\n");
  fprintf(stdout, "<H1>Oops!</H1>\n");
  fprintf(stdout, "<P>Please use this form to log in:\n");
  fprintf(stdout, "<A HREF=\"%s\">%s</A>\n</BODY></HTML>\n\n", GOODFORM);
  fflush(stdout);
  return(2);
} /** end of main **/


int GoodUser(char *name) {
  /** Okay, the username and password matches! **/

  FILE *GOOD;

  /** The best way would be to open a local file and echo that **/
  /** to stdout, but, again, we'll assume no local access:     **/
  fprintf(stdout, "<HTML><HEAD><TITLE>Welcome!</TITLE></HEAD>\n<BODY>\n");
  fprintf(stdout, "<H1>Welcome, %s!</H1>\n", name);
  fprintf(stdout, "<P>The rest of the page goes here!\n");
  fprintf(stdout, "</BODY></HTML>\n");
  fflush(stdout);
  return (0);  

  /** Okay, here's that better way: **/
  /** Remember to comment out the above part before using this **/
  /**
  if ((GOOD = fopen(GOODFILE, "r"))==NULL) {
    fprintf(stdout, "<HTML><HEAD><TITLE>Error!</TITLE></HEAD>\n<BODY>\n");
    fprintf(stdout, "<H1>Internal Error!</H1>\n", name);
    fprintf(stdout, "<P>Please contact the administrator!\n");
    fprintf(stdout, "</BODY></HTML>\n");
    fflush(stdout);
    return(4);
  }
  while(fgets(line, 200, GOOD)) {
    fprintf(stdout, "%s", line);
  }
  fclose(GOOD);
  return(0);  
  **/

} /** end of GoodUser(void) **/


0
 
LVL 1

Author Comment

by:Topace
Comment Utility
Is GET_METHOD a envronment variable that is filled when the form is submitted?

~ace~
0
 
LVL 1

Author Comment

by:Topace
Comment Utility
Well, I understand a lot of it, but I am going to need to read the help files on some of the functions.  I am somewhat new to C++ (Only used it for about a year), so I am going to interpret the code then I will grade the answer.  Ok?

~Topace~
0
 
LVL 1

Expert Comment

by:evilgreg
Comment Utility
Sound good to me. REQUEST_METHOD, CONTENT_TYPE, and CONTENT_LENGTH are all sent automatically by the browser to your program - the user filling out the form does never sees them, and shouldn't have to worry about them either. Once the server receives them, they are set as environment variables. As a matter of fact, the only thing that is _NOT_ put into an environment variable is the POST data itself, which is simply sent as STDIN (basically). If you have any more questions, let me know.

   
0
 
LVL 1

Author Comment

by:Topace
Comment Utility
evilgreg, I know what CONTENT_LENGTH and CONTENT_TYPE are, but what exactly does the evnvironment variable REQUEST_METHOD hold?  I am sorry if I sound dumb, but C++ CGI is fairly new to me, and I am just getting the hang of environment variables.  

Thanks for your patience,

~t~
0
 
LVL 1

Author Comment

by:Topace
Comment Utility
Okay, I am beginning to understand functions, etc.  Thers is one thing though.  I have not used stdio.h much, I use iostream.h more often, as this is what I was taught c++ with.  Is stdout equivelent to cin?  I mean in this context:


printf("enter value: ");
fflush(stdout);
scanf(result);

This is what is in my help file, and I am trying to figure it out.  Does it mean that the value the user inputs is written to a file, then calls scanf()?

I don't understand, this help file isn't much help! :>

~t~
0
 
LVL 1

Expert Comment

by:evilgreg
Comment Utility
REQUEST_METHOD is usually either "POST" or "GET" those being the two most common ways of sending information via a form to a cgi script. For the purposes of this program, all you really need is to check if it is equal to "POST"

As far as C/C++, C++ was made as an "enhancement" of C, adding lots of features, making it an object oriented language. I recommend to anyone that is trying to learn C++ to learn C first. A lot of times you don't even need C++ when simple C will do the trick.

Stdio.h is the equivalent of iostream.h. They both are collections of basic input/output functions.
"stdout" is equivalent to cout. printf is the basic way to display output to the screen, and is the same thing as fprintf(stdout, "..."); The fprintf lets you specifiy a file as well. The fflush function merely flushes anything that is held in stdout, in other words, it forces it to be printed to the screen at that moment. I would recommend getting another help file, or using the "man" command if you have access to a unix system.

In the example, you give, printf writes "enter value: " to the screen, then flushes it to make sure
that it was written, then scanf stores whatever the user types in into the variable "result"

Some of these probably can do a better job than me at explaining various C functions:

http://www.cit.ac.nz/smac/cprogram/
http://home1.inet.tele.dk/seth/c-tut.html
http://www.cm.cf.ac.uk/Dave/C/CE.html
http://devcentral.iftech.com/learning/tutorials/c/


0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Ever wondered how to display how many visitors you have online. In this tutorial I will show you an easy but effective way to display the number of online visitors in WhizBase. In this article I assume you have read my previous articles and know …
This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now