[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

500 points for the best solution !!!

Posted on 1999-06-28
18
Medium Priority
?
190 Views
Last Modified: 2010-03-04
Hi Experts

Here's another brain teaser for you worth 500 lovelies :

I have several domains on one server each of which has a perl script called one.cgi in the cgi-bin.

I want to occasionally let other people run this script but ONLY ONCE by giving them a "works once only" password and a hidden clickable link to one of those cgi-bin/one.cgi scripts so that they can't just go straight to the script afterwards...

So to summarize :

1.They need a login screen for their name and email address which sends a mail to me allowing me to validate that they can use the script.

2.After validation they get a mail with their "once only password" and a url/cgi to go to that will accept it.

3.They are then validated against username or email and the given password after which they are given a domain.com/cgi-bin/one.cgi page chosen from a hidden list (in rotation or randomly assigned from a list of URLs) BUT which they cannot see the URL of when they are there (ie CGI hides it).

4.They run the "one.cgi" and their password then becomes invalid and they have to register for another one if they want to use the script again.

5. The whole thing generates a log of who used the script.

Anyone up to the challenge ?

:-)
0
Comment
Question by:boney
18 Comments
 
LVL 5

Expert Comment

by:thoellri
ID: 1213549
Couple of questions:
1.) What platform? Unix?
2.) Do you have any databases with the registration information? SQL? DBM?


0
 

Expert Comment

by:kadokev
ID: 1213550
Can we assume Perl5 on a 'standard' Unix system running Apache web server?
0
 

Author Comment

by:boney
ID: 1213551
It's a linux running apache with perl5

No db i am afraid but I can create a simple line by line list of all the domain/cgi...
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
LVL 3

Expert Comment

by:pc012197
ID: 1213552
How strong is the constraint that they must not see the
chosen domain.com/cgi-bin/one.cgi URL? Is it enough if the
URL is not visible in the URL line in the browser?

Should the 'one.cgi' scripts be modified to do the
password check or do you want another cgi script to
make the password check and then do some kind of
redirection to 'one.cgi'?
0
 

Author Comment

by:boney
ID: 1213553
Well because the one.cgi will be picked randomly or sequentially from a list of domains it will be difficult to modify it to include the password or validation number I suspect ?

The reason for them not seeing the URL of the cgi is simply so that they can't bookmark it and use it again without permission as this cgi uses so much of our processor up we need to restrict access severely and determine who can use it and when it can be used. Ideally we would like to charge them to use it each time so any ideas there would be helpful...

If there is a better way of doing it then happy to go that way...
0
 
LVL 3

Expert Comment

by:pc012197
ID: 1213554
I understand those domains with the 'one.cgi' are completely
under your control. So you could modify them to look up
a username/password in a simple 'database' (perl db or
possibly some kind of CSV file). Of course it would be
silly to hardcode the password in those scripts.

I think the once-only requirement is quite strong here,
so more or less simple redirection is out of the question.

Is it important that the 'one.cgi' is invoked directly by
the browser or would it be possible to write a wrapper.cgi
to do the password check, then call one.cgi (either
directly or via http) and return the results of one.cgi to
the browser?

0
 

Author Comment

by:boney
ID: 1213555
wow !

Now you are almost losing me :-)

If I understand you you can call the one.cgi from a random domain into the validation cgi and have it appear as url "validate.cgi" or whatever ?

Could it then write an "on" "off" flag in the one.cgi so if the validate is yes the one.cgi runs adn if not it doesn't (if you get my meaning) ?

:-)
0
 
LVL 3

Expert Comment

by:pc012197
ID: 1213556
What I mean is to write a validate.cgi that's invoked like
this:

http://www.validate.org/validate.cgi?user=mike&pass=mechanic

(replace with your own domain, of course)

validate.cgi will first check if user and password are
valid. If not, print an error message 'access denied'.
If so, invalidate user and password in the database,
select a server www.random-domain.com, open a HTTP
connection to request
http://www.random-domain.com/cgi-bin/one.cgi and return
the result to the requesting browser.

You can configure your apache server to allow requests
to one.cgi only from www.validate.org, so this is secure.
The only URL the user ever sees is
http://www.validate.org/validate.cgi.

The downside is, the script one.cgi doesn't get any
information about the requesting user. Also, the user
doesn't see the domain name where one.cgi is actually
invoked. Would that be acceptable?

0
 

Author Comment

by:boney
ID: 1213557
Sounds good !

I assume that a log can be created of who got approved and who ran it ?

Is it a tough one or quite simple really ?


0
 
LVL 3

Expert Comment

by:pc012197
ID: 1213558
What I mean is to write a validate.cgi that's invoked like
this:

http://www.validate.org/validate.cgi?user=mike&pass=mechanic

(replace with your own domain, of course)

validate.cgi will first check if user and password are
valid. If not, print an error message 'access denied'.
If so, invalidate user and password in the database,
select a server www.random-domain.com, open a HTTP
connection to request
http://www.random-domain.com/cgi-bin/one.cgi and return
the result to the requesting browser.

You can configure your apache server to allow requests
to one.cgi only from www.validate.org, so this is secure.
The only URL the user ever sees is
http://www.validate.org/validate.cgi.

The downside is, the script one.cgi doesn't get any
information about the requesting user. Also, the user
doesn't see the domain name where one.cgi is actually
invoked. Would that be acceptable?

0
 

Author Comment

by:boney
ID: 1213559
PC

It looks like the same answer as before ?
0
 
LVL 3

Expert Comment

by:pc012197
ID: 1213560
oops. sorry, I shouldn't hit reload...

validate.cgi can of course log anything you want.
Well, most of it... :-)

I think it's not very hard to implement if it's
possible to use a few perl modules that are available
on CPAN, particularly HTTP, LWP, DBI and DBD::CVS.

0
 

Author Comment

by:boney
ID: 1213561
Now you really have lost me :-)

Go for it !

B
0
 
LVL 3

Accepted Solution

by:
pc012197 earned 2000 total points
ID: 1213562
I have started working on it. Please don't rate this answer
yet, I hope it'll be finished tomorrow.

Maybe we should find a method to get the script to you
(other than pasting them here). Can I upload it somewhere?

0
 

Author Comment

by:boney
ID: 1213563
sure email me it to bob@riviera.net

can't wait to see if it works :-)
0
 

Author Comment

by:boney
ID: 1213564
Hi PC

Got your files and tried to run it but it said it didn't have DBI :

Can't locate DBI.pm in @INC (@INC contains: /usr/lib/perl5/mips-linux/5.00404 /usr/lib/perl5 /usr/lib/perl5/site_perl/mips-linux /usr/lib/perl5/site_perl .) at common.pl line 1.

So I went to CPAN and got that and tried to "Makefile" but then it said :

Can't locate lib/DBI/DBD.pm in @INC (@INC contains: lib /usr/lib/perl5/mips-linux/5.00404 /usr/lib/perl5 /usr/lib/perl5/site_perl/mips-linux /usr/lib/perl5/site_perl .) at Makefile.PL line 236

I figured "ok" so I'll stick that in as well but when I went to look for DBD there are millions of variations and now I am really lost !

Help ?
0
 
LVL 85

Expert Comment

by:ozo
ID: 1213565
perl -MCPAN -e shell;
cpan> install DBI
should know how to automatically install any prerequisites
0
 

Author Comment

by:boney
ID: 1213566
Thanks ozo !  ;-) I'll go look...
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the distant past (last year) I hacked together a little toy that would allow a couple of Manager types to query, preview, and extract data from a number of MongoDB instances, to their tool of choice: Excel (http://dilbert.com/strips/comic/2007-08…
Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Six Sigma Control Plans
Suggested Courses

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question