Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

500 points for the best solution !!!

Posted on 1999-06-28
18
Medium Priority
?
184 Views
Last Modified: 2010-03-04
Hi Experts

Here's another brain teaser for you worth 500 lovelies :

I have several domains on one server each of which has a perl script called one.cgi in the cgi-bin.

I want to occasionally let other people run this script but ONLY ONCE by giving them a "works once only" password and a hidden clickable link to one of those cgi-bin/one.cgi scripts so that they can't just go straight to the script afterwards...

So to summarize :

1.They need a login screen for their name and email address which sends a mail to me allowing me to validate that they can use the script.

2.After validation they get a mail with their "once only password" and a url/cgi to go to that will accept it.

3.They are then validated against username or email and the given password after which they are given a domain.com/cgi-bin/one.cgi page chosen from a hidden list (in rotation or randomly assigned from a list of URLs) BUT which they cannot see the URL of when they are there (ie CGI hides it).

4.They run the "one.cgi" and their password then becomes invalid and they have to register for another one if they want to use the script again.

5. The whole thing generates a log of who used the script.

Anyone up to the challenge ?

:-)
0
Comment
Question by:boney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
18 Comments
 
LVL 5

Expert Comment

by:thoellri
ID: 1213549
Couple of questions:
1.) What platform? Unix?
2.) Do you have any databases with the registration information? SQL? DBM?


0
 

Expert Comment

by:kadokev
ID: 1213550
Can we assume Perl5 on a 'standard' Unix system running Apache web server?
0
 

Author Comment

by:boney
ID: 1213551
It's a linux running apache with perl5

No db i am afraid but I can create a simple line by line list of all the domain/cgi...
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:pc012197
ID: 1213552
How strong is the constraint that they must not see the
chosen domain.com/cgi-bin/one.cgi URL? Is it enough if the
URL is not visible in the URL line in the browser?

Should the 'one.cgi' scripts be modified to do the
password check or do you want another cgi script to
make the password check and then do some kind of
redirection to 'one.cgi'?
0
 

Author Comment

by:boney
ID: 1213553
Well because the one.cgi will be picked randomly or sequentially from a list of domains it will be difficult to modify it to include the password or validation number I suspect ?

The reason for them not seeing the URL of the cgi is simply so that they can't bookmark it and use it again without permission as this cgi uses so much of our processor up we need to restrict access severely and determine who can use it and when it can be used. Ideally we would like to charge them to use it each time so any ideas there would be helpful...

If there is a better way of doing it then happy to go that way...
0
 
LVL 3

Expert Comment

by:pc012197
ID: 1213554
I understand those domains with the 'one.cgi' are completely
under your control. So you could modify them to look up
a username/password in a simple 'database' (perl db or
possibly some kind of CSV file). Of course it would be
silly to hardcode the password in those scripts.

I think the once-only requirement is quite strong here,
so more or less simple redirection is out of the question.

Is it important that the 'one.cgi' is invoked directly by
the browser or would it be possible to write a wrapper.cgi
to do the password check, then call one.cgi (either
directly or via http) and return the results of one.cgi to
the browser?

0
 

Author Comment

by:boney
ID: 1213555
wow !

Now you are almost losing me :-)

If I understand you you can call the one.cgi from a random domain into the validation cgi and have it appear as url "validate.cgi" or whatever ?

Could it then write an "on" "off" flag in the one.cgi so if the validate is yes the one.cgi runs adn if not it doesn't (if you get my meaning) ?

:-)
0
 
LVL 3

Expert Comment

by:pc012197
ID: 1213556
What I mean is to write a validate.cgi that's invoked like
this:

http://www.validate.org/validate.cgi?user=mike&pass=mechanic

(replace with your own domain, of course)

validate.cgi will first check if user and password are
valid. If not, print an error message 'access denied'.
If so, invalidate user and password in the database,
select a server www.random-domain.com, open a HTTP
connection to request
http://www.random-domain.com/cgi-bin/one.cgi and return
the result to the requesting browser.

You can configure your apache server to allow requests
to one.cgi only from www.validate.org, so this is secure.
The only URL the user ever sees is
http://www.validate.org/validate.cgi.

The downside is, the script one.cgi doesn't get any
information about the requesting user. Also, the user
doesn't see the domain name where one.cgi is actually
invoked. Would that be acceptable?

0
 

Author Comment

by:boney
ID: 1213557
Sounds good !

I assume that a log can be created of who got approved and who ran it ?

Is it a tough one or quite simple really ?


0
 
LVL 3

Expert Comment

by:pc012197
ID: 1213558
What I mean is to write a validate.cgi that's invoked like
this:

http://www.validate.org/validate.cgi?user=mike&pass=mechanic

(replace with your own domain, of course)

validate.cgi will first check if user and password are
valid. If not, print an error message 'access denied'.
If so, invalidate user and password in the database,
select a server www.random-domain.com, open a HTTP
connection to request
http://www.random-domain.com/cgi-bin/one.cgi and return
the result to the requesting browser.

You can configure your apache server to allow requests
to one.cgi only from www.validate.org, so this is secure.
The only URL the user ever sees is
http://www.validate.org/validate.cgi.

The downside is, the script one.cgi doesn't get any
information about the requesting user. Also, the user
doesn't see the domain name where one.cgi is actually
invoked. Would that be acceptable?

0
 

Author Comment

by:boney
ID: 1213559
PC

It looks like the same answer as before ?
0
 
LVL 3

Expert Comment

by:pc012197
ID: 1213560
oops. sorry, I shouldn't hit reload...

validate.cgi can of course log anything you want.
Well, most of it... :-)

I think it's not very hard to implement if it's
possible to use a few perl modules that are available
on CPAN, particularly HTTP, LWP, DBI and DBD::CVS.

0
 

Author Comment

by:boney
ID: 1213561
Now you really have lost me :-)

Go for it !

B
0
 
LVL 3

Accepted Solution

by:
pc012197 earned 2000 total points
ID: 1213562
I have started working on it. Please don't rate this answer
yet, I hope it'll be finished tomorrow.

Maybe we should find a method to get the script to you
(other than pasting them here). Can I upload it somewhere?

0
 

Author Comment

by:boney
ID: 1213563
sure email me it to bob@riviera.net

can't wait to see if it works :-)
0
 

Author Comment

by:boney
ID: 1213564
Hi PC

Got your files and tried to run it but it said it didn't have DBI :

Can't locate DBI.pm in @INC (@INC contains: /usr/lib/perl5/mips-linux/5.00404 /usr/lib/perl5 /usr/lib/perl5/site_perl/mips-linux /usr/lib/perl5/site_perl .) at common.pl line 1.

So I went to CPAN and got that and tried to "Makefile" but then it said :

Can't locate lib/DBI/DBD.pm in @INC (@INC contains: lib /usr/lib/perl5/mips-linux/5.00404 /usr/lib/perl5 /usr/lib/perl5/site_perl/mips-linux /usr/lib/perl5/site_perl .) at Makefile.PL line 236

I figured "ok" so I'll stick that in as well but when I went to look for DBD there are millions of variations and now I am really lost !

Help ?
0
 
LVL 84

Expert Comment

by:ozo
ID: 1213565
perl -MCPAN -e shell;
cpan> install DBI
should know how to automatically install any prerequisites
0
 

Author Comment

by:boney
ID: 1213566
Thanks ozo !  ;-) I'll go look...
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many time we need to work with multiple files all together. If its windows system then we can use some GUI based editor to accomplish our task. But what if you are on putty or have only CLI(Command Line Interface) as an option to  edit your files. I…
I have been pestered over the years to produce and distribute regular data extracts, and often the request have explicitly requested the data be emailed as an Excel attachement; specifically Excel, as it appears: CSV files confuse (no Red or Green h…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Six Sigma Control Plans

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question