Solved

Help needed with Member/Password

Posted on 1998-08-02
20
169 Views
Last Modified: 2013-12-25
Could somone please help me with creating a CGI script using C++ that allows a restricted access area?  I had help from faster a while ago, but he never got back to me when I had begun to understand what he was talking about.  


~Topace~
0
Comment
Question by:Topace
  • 8
  • 3
  • 3
  • +4
20 Comments
 

Expert Comment

by:ijduggan
ID: 1831299
Is there a reason you want to use a script for this? Would it be possible to just set up
the access files on your webserver? What are you trying to accomplish, and what kind of webserver are you running on, and what kind of access (ftp, telnet, etc...) do you have to it?
0
 

Expert Comment

by:ijduggan
ID: 1831300
Is there a reason you want to use a script for this? Would it be possible to just set up
the access files on your webserver? What are you trying to accomplish, and what kind of webserver are you running on, and what kind of access (ftp, telnet, etc...) do you have to it?
0
 
LVL 2

Expert Comment

by:SirCaleb
ID: 1831301
This would be much easier with .htaccess and .htpasswd files...let me know if your still interested and I can help you set these up...they are very simple and easy to use...changing the password and login is simple too...these are encrypted and unbreakalbe.
0
 
LVL 1

Author Comment

by:Topace
ID: 1831302
Well, I want to use a script because the server is not mine.  It is a Windows NT server, and would run fine ith EXE files.  I am not familiar with much else that C++ and some Javascript, and I KNOW javascript would not be secure.  If somone is willing to help me learn the language in order to code it another way, I would be willing to do that.

~Topace~
0
 
LVL 2

Expert Comment

by:SirCaleb
ID: 1831303
You don't need access to the server....as long as you can create a directory in your Webspace you can do it....unless your site is at geocities or something..you should be able to create a directory...lemme know....
0
 

Expert Comment

by:crypticrod
ID: 1831304
what do you mean actually by restricted "passwd" area ?

If you just want users to acess certain documents if the give a valid passwd , it is simple to implement using the forms concept
input type = password..
0
 
LVL 1

Author Comment

by:Topace
ID: 1831305
Yes, I can create directories.  The server will allow EXE scripts.  

By restricted access area, I want the userm to input a User Name and password, and then depending on what they entered, allow them access to the next web page or not.

~Topace~
0
 
LVL 7

Expert Comment

by:faster
ID: 1831306
Well, I have quite busy recently so did not visit this site very often, I can remember part of your problem, so what's the progress?
0
 
LVL 2

Expert Comment

by:SirCaleb
ID: 1831307
TopAce....it is to hard to explain it in here....visit the following URL and it will explain how to do it.....

http://www.web-burza.com/webspan/password.html

This is your best option.  When the user tries to access protected files...he gets a prompt to enter a login and password, if the login fails he will get a big error message...if it succeeds, it will take him to what he is looking for....that person can then move from page to page or file to file in the password protected area without being prompted again..unless he closes his web browswer...
0
 
LVL 6

Expert Comment

by:alamo
ID: 1831308
SirCaleb, if the web server is IIS (which most NT-based web servers are) then the .htaccess approach won't work, and in fact Topace either needs to use NT security (by restricting file rights so that only the desired users can access them) or else use the .exe approach as originally asked.

This is almost a FAQ here at EE, due to IIS' odd security approach.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 1

Author Comment

by:Topace
ID: 1831309
No, I want it to be a FORM on a web page.  When the user fills out the form (Two fields, Member and password) it will determine if the membername and password are valid.  Then, if they are, it will take them to another (Possibly generated by the EXE script) html page.  I would like, if possible, the restricted access area to be secure.  By this, I mean I want any links while the user is "logged in" to not show an address, or if it does show an address, show the address of the CGI script.  Then when the user clicks the "logout" link, it will allow the address of HTML pages to be displayed in the Location field of their browser.  

Is it easier then it sounds?  I believe that it would be easier through EXE rather that the htpaccess or whatever.


~Topace~
0
 
LVL 6

Expert Comment

by:alamo
ID: 1831310
>>I believe that it would be easier through EXE rather that the htpaccess or whatever.

If you can find such an .exe already written, and it suits your needs perfectly, then both the builtin server security and the form-based EXE approach are about the same difficulty to implement.

If not, and if you have to write or modify an existing EXE, then doing so is (very optimistically) an order of magnitude more difficult. You could use the builtin server security and have a secure area up in an hour, with a pop-up login rather than a form but with access to the pages / files secured. As to the exe approach - no it's not easier than it sounds, it's harder.

Unfortunately, if you are on IIS on NT and don't have the ability to add NT users and set up NT file rights, and don't have access to ASP, then the builtin server security isn't available to you. It's a tricky problem.
0
 
LVL 1

Author Comment

by:Topace
ID: 1831311
No, I don't have access to the NT users.  Like I said, it isn't my server I am just using the space.  I want the user and password prompt to be in  a form rather than a popup, this is the reason I wanted to use a script.

~Topace~
0
 
LVL 1

Accepted Solution

by:
evilgreg earned 220 total points
ID: 1831312
Okay, here's a C program to do that, with some caveats and notes:

*This program doesn't really care what the FORM INPUT's are - it just parses the first as the
username, and the second as the password.
<FORM METHOD="Post" ACTION="url_of_the_exe">
Name? <INPUT TYPE="Text" NAME="Username" SIZE=25>
<P>
Password? <INPUT TYPE="Password" NAME="Groucho" SIZE=25>
<P>
<INPUT TYPE="Submit">
<FORM>
In other words, "Username" and "Groucho" can be anything.

* I'm assuming your cgi program does not have access to local files (i.e. those that are not "world readable" by anyone with a browser). If it does have access, the actual storing of the
usernames and passwords can be done in a separate file.
* This is a fairly simple C file, and *should* compile on almost anything. Obviously, only you can compile it on your system.
* It's fairly simple, but should meet all of your requirements. If you need further help tweaking it, feel free to let me know.
* The program is set up with three example usernames and passwords: "Mike" and "truck", etc.
* Some of the early "defines" obviously should be replaced.
* It should be faily self-explanatory with the comments. Again, let me know if anything is not clear.

-Greg

/** PassThis.c -*-fundamental-*-
    Written by Greg Mullane <greg@turnstep.com>
    This program checks for username/password
**/

/** Maximum sizes for the input **/
#define MAXNAME 30
#define MAXPASSWORD 30

/** The URL of the form to call this program **/
#define GOODFORM "http://my.webserver/me/login.html"

/** The file that a person sees after entering the correct password: **/
#define GOODFILE "mylocalfile.html"

#include <stdio.h>
#include <strings.h>
#include <stdlib.h>

int GoodUser(char *name);

int main (int argc, char **argv) {

  char line[200];
  char name[MAXNAME];
  char password[MAXPASSWORD];
  int  clength;
  int  a,b,x,y,z;

  fprintf(stdout, "Content-type: text/html\n\n");
  fflush(stdout);

  /** Is this properly posted from a web page? **/
  if(!getenv("REQUEST_METHOD")) {
    return(1);
  }

  /** Is it a POST? **/
  if(!strcmp(getenv("REQUEST_METHOD"), "POST") && 
      getenv("CONTENT_TYPE") && !strcmp(getenv("CONTENT_TYPE"),
      "application/x-www-form-urlencoded") && 
      getenv("CONTENT_LENGTH")) {

    clength = atoi(getenv("CONTENT_LENGTH"));

    if (clength>200) { clength=200; }
    fgets(line, clength+1, stdin);    

    /** Parse the data into our fields: **/
    for(x=0, y=0, z=0, a=0, b=0; line[x] !='\0'; x++) {
      if (line[x]=='&') { z++; }
      if (line[x]=='=') { y++; }
      else {
        if (y==1 && !z) { /** Name **/
          name[a++]=line[x];
        }
        if (y==2 && z<2) { /** Password **/
          password[b++]=line[x];
        }
      }
    }
    name[a]='\0';
    password[b++]=line[x]; password[b]='\0';

    name[MAXNAME-1]='\0';
    password[MAXPASSWORD-1]='\0';    

    /** Now check the username and password against a list. **/
    /** It would be better in a file, but we'll build them in for now: **/
   
    /** Modify these as needed **/
    if (!strcmp(name, "Mike"        ) &&
        !strcmp(password, "truck"   )) { GoodUser(name); return(0); }

    if (!strcmp(name, "Greg"        ) &&
        !strcmp(password, "secret"  )) { GoodUser(name); return(0); }

    if (!strcmp(name, "Sarah"       ) &&
        !strcmp(password, "water"   )) { GoodUser(name); return(0); }
   
    /** No matches. Generate a message: **/

    fprintf(stdout, "<HTML><HEAD><TITLE>Sorry!</TITLE></HEAD>\n<BODY>\n");
    fprintf(stdout, "<H1>Oops!</H1>\n");
    fprintf(stdout, "<P>Invalid username/password. Please try again:\n");
    fprintf(stdout, "<A HREF=\"%s\">%s</A>\n</BODY></HTML>\n\n",
                    GOODFORM, GOODFORM);
    fflush(stdout);
    return(3);
  } /** end of if post **/

  /** If they got here, they did not POST correctly: **/

  fprintf(stdout, "<HTML><HEAD><TITLE>Wrong!</TITLE></HEAD>\n<BODY>\n");
  fprintf(stdout, "<H1>Oops!</H1>\n");
  fprintf(stdout, "<P>Please use this form to log in:\n");
  fprintf(stdout, "<A HREF=\"%s\">%s</A>\n</BODY></HTML>\n\n", GOODFORM);
  fflush(stdout);
  return(2);
} /** end of main **/


int GoodUser(char *name) {
  /** Okay, the username and password matches! **/

  FILE *GOOD;

  /** The best way would be to open a local file and echo that **/
  /** to stdout, but, again, we'll assume no local access:     **/
  fprintf(stdout, "<HTML><HEAD><TITLE>Welcome!</TITLE></HEAD>\n<BODY>\n");
  fprintf(stdout, "<H1>Welcome, %s!</H1>\n", name);
  fprintf(stdout, "<P>The rest of the page goes here!\n");
  fprintf(stdout, "</BODY></HTML>\n");
  fflush(stdout);
  return (0);  

  /** Okay, here's that better way: **/
  /** Remember to comment out the above part before using this **/
  /**
  if ((GOOD = fopen(GOODFILE, "r"))==NULL) {
    fprintf(stdout, "<HTML><HEAD><TITLE>Error!</TITLE></HEAD>\n<BODY>\n");
    fprintf(stdout, "<H1>Internal Error!</H1>\n", name);
    fprintf(stdout, "<P>Please contact the administrator!\n");
    fprintf(stdout, "</BODY></HTML>\n");
    fflush(stdout);
    return(4);
  }
  while(fgets(line, 200, GOOD)) {
    fprintf(stdout, "%s", line);
  }
  fclose(GOOD);
  return(0);  
  **/

} /** end of GoodUser(void) **/


0
 
LVL 1

Author Comment

by:Topace
ID: 1831313
Is GET_METHOD a envronment variable that is filled when the form is submitted?

~ace~
0
 
LVL 1

Author Comment

by:Topace
ID: 1831314
Well, I understand a lot of it, but I am going to need to read the help files on some of the functions.  I am somewhat new to C++ (Only used it for about a year), so I am going to interpret the code then I will grade the answer.  Ok?

~Topace~
0
 
LVL 1

Expert Comment

by:evilgreg
ID: 1831315
Sound good to me. REQUEST_METHOD, CONTENT_TYPE, and CONTENT_LENGTH are all sent automatically by the browser to your program - the user filling out the form does never sees them, and shouldn't have to worry about them either. Once the server receives them, they are set as environment variables. As a matter of fact, the only thing that is _NOT_ put into an environment variable is the POST data itself, which is simply sent as STDIN (basically). If you have any more questions, let me know.

   
0
 
LVL 1

Author Comment

by:Topace
ID: 1831316
evilgreg, I know what CONTENT_LENGTH and CONTENT_TYPE are, but what exactly does the evnvironment variable REQUEST_METHOD hold?  I am sorry if I sound dumb, but C++ CGI is fairly new to me, and I am just getting the hang of environment variables.  

Thanks for your patience,

~t~
0
 
LVL 1

Author Comment

by:Topace
ID: 1831317
Okay, I am beginning to understand functions, etc.  Thers is one thing though.  I have not used stdio.h much, I use iostream.h more often, as this is what I was taught c++ with.  Is stdout equivelent to cin?  I mean in this context:


printf("enter value: ");
fflush(stdout);
scanf(result);

This is what is in my help file, and I am trying to figure it out.  Does it mean that the value the user inputs is written to a file, then calls scanf()?

I don't understand, this help file isn't much help! :>

~t~
0
 
LVL 1

Expert Comment

by:evilgreg
ID: 1831318
REQUEST_METHOD is usually either "POST" or "GET" those being the two most common ways of sending information via a form to a cgi script. For the purposes of this program, all you really need is to check if it is equal to "POST"

As far as C/C++, C++ was made as an "enhancement" of C, adding lots of features, making it an object oriented language. I recommend to anyone that is trying to learn C++ to learn C first. A lot of times you don't even need C++ when simple C will do the trick.

Stdio.h is the equivalent of iostream.h. They both are collections of basic input/output functions.
"stdout" is equivalent to cout. printf is the basic way to display output to the screen, and is the same thing as fprintf(stdout, "..."); The fprintf lets you specifiy a file as well. The fflush function merely flushes anything that is held in stdout, in other words, it forces it to be printed to the screen at that moment. I would recommend getting another help file, or using the "man" command if you have access to a unix system.

In the example, you give, printf writes "enter value: " to the screen, then flushes it to make sure
that it was written, then scanf stores whatever the user types in into the variable "result"

Some of these probably can do a better job than me at explaining various C functions:

http://www.cit.ac.nz/smac/cprogram/
http://home1.inet.tele.dk/seth/c-tut.html
http://www.cm.cf.ac.uk/Dave/C/CE.html
http://devcentral.iftech.com/learning/tutorials/c/


0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
scripting, exchange 35 47
Batch File to find and replace a string 15 104
Bulk Reorder File Names 4 57
pass a variable from a list to a batch file using psexec 11 47
The following is a collection of cases for strange behaviour when using advanced techniques in DOS batch files. You should have some basic experience in batch "programming", as I'm assuming some knowledge and not further explain the basics. For some…
This article will show, step by step, how to integrate R code into a R Sweave document
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now