Password protection!

Hi,

I have forgotten to say I am using Microsoft PWS under Win95 and ActivePerl to run the Perl Script.

Bye

Do you want a explination of how to do this or code....?

Hi guadalupe,

Could you list the code?

Thank you very much!!!

OK quick question, do you have any objection to using cookies as this will be the easiest way to "remeber" if someone has logged in before or not...? The other question is do you have a protection scheme for the protected documents other than the script your speaking of? I ask because if perl is the only protection then the protection can be side stepped by someone somehow know or guessing the urls of the "protected" docs and typing these directly into the location window of there browser...  

Hi guadalupe,

I don't know how to use cookies. Can you teach me how to do this?

Also, I don't have any protection scheme beside the script.
Any good idea suggested by you?

Thanks!!!

Hi,

Acutally I think the problem you suggested is not important to me.
Because at the protected page, I will read the data posted by the previous page.

If the user enter the page by typing the url directly, my page will only display a blank page.

Thus, I only want to check the user had login or not before, if he hasn't login before, ask him to provide a password and user name first, then enter the protected page. If he has done the login process before, the protected page will be displayed the result directly.

Am I correct?

Thank you very much

Ah yes if you will use perl to display the pages and never show static htmls then you  are right... but I still need to know if you object to cookies (see previous comment).

Sorry there was a time lag in notification now I see your response to cookies and yes I'll teach you... Question can you install madules or do you already have CGI.pm installed?

Hi,

Acutally I think the problem you suggested is not important to me.
Because at the protected page, I will read the data posted by the previous page.

If the user enter the page by typing the url directly, my page will only display a blank page.

Thus, I only want to check the user had login or not before, if he hasn't login before, ask him to provide a password and user name first, then enter the protected page. If he has done the login process before, the protected page will be displayed the result directly.

Am I correct?

Thank you very much

Oh sorry posting the wrong comment...

Yes, I have the CGi.Pm installed......how can I use this?

Hi guadalupe,

I have one question, at my browser's preferences setting, I found I can disable the cookies.

I want to know if the user had done this at his/her browser. Then will yuor suggested method work? Can I still check whether he/she had login before or not?

Or if he/she had disabled the cookies, I will assume he/she hasn't login before. Can I do this?

Thanks!!!

Like you said... If they disable cookies you will assume they have not logged in...  The thing is I don't know of (maybe it exists - but I don't know of it) any simple ways (like a module) to mangage "session varables" as there knwo in Cold Fusion and ASP.  It would be possible to do this but it becomes tricky and long winded(coded) to avoid this I would suggest cookies.

Anyway, can you teach me how to use cookies to check whether the user had logged in or not before???

Thank you!!!

Ok I've gopt it almost done and I hit a doubt.  Is it ok to have a login and have that lead to an menu of options page?

Ok this is the first half:

#!/usr/local/bin/perl -I.


use CGI;

#Craete instance of CGI object
$query = new CGI;

#Get user_pass cookie
$user_pass = $query->cookie(-name=>'user_pass');

#get user
$user = $query->param('user');
#get pass
$pass = $query->param('pass');

#check if values exist for both user and pass
if ($user && $pass)
{
      if ( &check_user("$user:$pass") )
      {
            &set_cookie("$user:$pass");
            &show_menu;
            exit;
      }
      else
      {
            &output_denial($request);
            exit;
      }
}

elsif ($user_pass)
{
      if ( &check_user($user_pass) )
      {
            &show_menu;
            exit;
      }
      else
      {
            &output_denial($request);
            exit;
      }
}

else
{
            #output request for name/pass
            &output_login;
            exit;
}



sub check_user()
{
      local($user_pass) = $_[0];

      #Check if user exists
      open(USERS, "./user.lst") || die "Could not open user list: $!\n";

      while (<USERS>)
      {
            if (/$user_pass/)
            {
                  return 1;
            }
            else
            {
                  return 0;
            }

      }
}


sub output_denial($)
{

print <<EOF;
Content-type: text/html\n\n
<HTML>
<HEAD>
<TITLE> New Document </TITLE>
</HEAD>

<BODY BGCOLOR="#FFFFFF">
Your access to $_[0] has been denied.
</BODY>
</HTML>
EOF

}

sub output_login()
{
print <<EOF;
Content-type: text/html\n\n
<HTML>
<HEAD>
<TITLE> New Document </TITLE>
</HEAD>

<BODY BGCOLOR="#FFFFFF">
<FORM METHOD="POST" ACTION="check_pass.cgi">
User: <INPUT TYPE="text" NAME="user"><br>
Pass: <INPUT TYPE="text" NAME="pass"><br>
<input type="submit">
</FORM>
</BODY>
</HTML>
EOF
}

sub show_menu()
{

      open(MENU, "menu.htm") || die "Could not open menu: $!\n";
      
      #only output header if cookie has not been set to avoid double header
      print "Content-type: text/html\n\n" unless $cookie;

      print <MENU>;
}

sub set_cookie($$)
{
      
      local($user_pass) = $_[0];
      
      $cookie = $query->cookie(-name=>'user_pass',
                             -value=>"$user_pass",
                             -expires=>'+1h',
                             -path=>'/cgi-bin',
                             -domain=>'www.uol.com.ar',
                             -secure=>0);
    #-expires=>'never',

      print $query->header(-cookie=>$cookie);
      $cookie++;
}


The second half is just a show_doc.cgi that first checks for thw cookie and then outputs the doc.  

the user.lst should be a txt with the format:

user1:pass1
user2:pass2
etc.

Let me know how it goes... I still don't know if you have CGI.pm which will definitly effect the viability of thsi script so let me know as there are work arounds...

Sorry two things.

One you might want to change the message line in sub output_denial to read:

Your access has been denied.

And the user password check is case senitive.  If you want to change this do this line in the sub check_user to read like this:

if (/$user_pass/i)

this just makes the pattern matching case insensitive.

Will also have to talk about making this a truly tight security app.  By changing some file permissions but well talk about that later.  Lets get this working first.

Shamless plug follows:

for $25.00 per year you can do this using the code at www.resource.nu

Hi guadalupe,

As I am not at office now, I need to do the testing later. Anyway, Thank you very much for your help.

If I have any problem, I will find you later.

Or Can I have your e-mail address?

Thanks

Dear guadalupe,

I have tested the code provided by you. But it seems I can't add anything to the cookie.

How can I know whether I can set any cookie successfully?

I am using Netscape 4.5. I found the file called cookies.txt at my PC. But I this file will not be udpated unless I closed the netscape.

Also, after closing the netscape, I cannot find the entry I added......???
What possible errors have I made?
Is there any module need to be installed?

Thanks for your opinion?

I assume from the points that you got it... Let me know if you need more help.