Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 171
  • Last Modified:

Store user name and login?

I want my users to be able to login and when they are successful they are led to a screen where they can select different options.  When they select one of these options they will all go to a script but how can the script know who is clicking the link?
0
treyjeff
Asked:
treyjeff
  • 7
  • 5
  • 3
  • +2
1 Solution
 
maneshrCommented:
you can use a hidden from variable to do that.
However, you will have to submit the form (via a post or get) to keep track of the username.

the better alternative would be to set a cookie with the username to track the users journey through your site.

0
 
treyjeffAuthor Commented:
So if someone doesn't have cookies enabled, what then should I do?
0
 
srollinsCommented:
The Apache web server uses .htaccess files and htpasswd to create user/password data. You might try to read up on these. Once a user is logged in, you can access their login via an environment variable called ENV{REMOTE_USER}. The way it works is, you put the .htaccess file in the directory you want protected. When a web client tries to access this directory, he is forced to enter a password. This authentication is remembered for the duration of the browser session.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
treyjeffAuthor Commented:
So htaccess will store their login and password in ENV{REMOTE_USER} for the entire visit?  How would I do something like if entered_password = passwordinfile then

?
0
 
srollinsCommented:
Once the ENV{REMOTE_USER} is read in, it can then be stored along with the options that are selected in a database. The script can then query the database for ENV{REMOTE_USER} to get the options that were entered. Example:
1. Get UserID via htaccess into ENV{REMOTE_USER} then open page to get options. Then 'insert ENV{REMOTE_USER},options into table'. 2. The script uses 'select options from table where userid='ENV{REMOTE_USER}'.
0
 
treyjeffAuthor Commented:
Because what I want to do is this:

1)User logs in
2)User gets to a page which is "their" page.  This page has some things customized like their name which is stored in a database.  I query the db based on their login and password.
3)Links on the side lead to other options that will be personalized based on the user info.

So it can be passed?  Like how can I insert ENV{REMOTE_USER} into variable?  Can both login and password be extracted?
0
 
Gene KlamerusTechnical ArchitectCommented:
ENV{REMOTE_USER} has neither username or password, it has their login, in their environment, but that may not be the same as YOUR login.  Either way, it does not include a password.

The best you can do is to save this information (perhaps when they do the YOUR login) into a file or DB and use the ENV{REMOTE_USER} as a lookup value.
0
 
treyjeffAuthor Commented:
So cookies it is! :)  Is it not possible to store more than one piece of information in a cookie?  We were only taught one thing (like one cookie for login, one for password, one for color option).
0
 
Gene KlamerusTechnical ArchitectCommented:
You can use several cookies OR store the username and password in a single cookie (just put them together).  Cookies can be "arrays" of values.
0
 
ozoCommented:
Or have the cookie, (or hidden variable, or $ENV{REMOTE_USER}) point to a record stored in a database on your server.
0
 
treyjeffAuthor Commented:
Here was my plan, to have them login on the main screen and if it matches a login/pasword combination in the database then it would store a cookie.  For these links, I would have them reference the cookies.  Sound pretty normal or no?
0
 
treyjeffAuthor Commented:
Also, I'd use the remote user but I have no idea what the code for something like that would be.
0
 
Gene KlamerusTechnical ArchitectCommented:
Your approach should work out fine.
0
 
srollinsCommented:
klamerus, when i use htaccess the username that i enter in the little dialog box gets stored in the ENV{REMOTE_USER} and that authentication lasts the entire session. This username is used to store user variables in my servers database.  I'm not sure what you mean when you say:

 "ENV{REMOTE_USER} has neither username or password, it has their login, in their environment, but that may not be the same as YOUR login"

I tested this on a large intranet application. I can log in as any other user if I have their password and it sets ENV{REMOTE_USER} to whoever i log in as.

0
 
srollinsCommented:
This is all done without cookies.
0
 
treyjeffAuthor Commented:
What does that store then guys?  Does it only store the login information (username)?
0
 
maneshrCommented:
a suggestion, based on professional exp, NEVER store any direct user info on a cookie (encrypted or not). This direct user info includes username/password, user id or ANYTHING using which one can gain access to that users profile/info.

it should always be a combination of cookie value & some matching value on the server that should be the key to allowing the user to unlock access to his/her pages.

Even then encrypt the cookie. you can use the encrypt function in PERL to get a basic encryption.

my .02 cents
0
 
srollinsCommented:
treyjeff,
The ENV{REMOTE_USER} only stores the ID that the user loggs in with. The password is stored on your server in either a flat file or dbm file, whichever you choose.

You can use these Perl modules to add, change, delete users, or allow them to change their password.

HTTPD::UserAdmin
HTTPD::Authen()

Another feature of this is that it allows the browser to remember his password the next time he tries to log in to a new session. This is not very secure but is convenient because the user only has to press OKAY. I guess it's as secure as cookies. If you leave your station unattended and someone else uses your browser to access your personalized site, they are doing it as you.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 5
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now