Link to home
Start Free TrialLog in
Avatar of NTIVER
NTIVER

asked on

Perl created page using old data (IE)

Hi,

I have an HTML page with a form with 2 elements, name and password.  When submitted, the form calls a perl script that validates the username and password against a file, updates a file called "currentser" and redirects them to the next page.  This works fine.

On the next page, the current user details are retrieved by the next script and the web page is built using users full name, date, access level etc which have just been retrieved.

My problem.

I have two test users, fred and john.  If I log on as john with the correct username/password combination on the first run, the screen builds correctly and knows that I am user john.

If I then close the browser, log in as fred with the correct username/password combination the page is built with john's details again.  If I click "refresh" it re-loads with fred's details. A bit of a security hole methinks.

If I get the username/password combination wrong at any point, I am re-directed to the "access denied" page, which works correctly.

I am using IE6 version 6.0.2600.0000co

I have enabled "Empty Temporary Internet Files When Browser Is Closed", I have disabled "Userdata Persistence", I have set history files to 0 days and also set the "Check or New Versions Of Pages" to be "Every Visit To The Page" and it still won't pick up the right data without a refresh.

Where else could it possibly be storing the information?

Any ideas, please?

Thanks in advance.

Neil
Avatar of sushrut
sushrut

Are you using cookies on your second page?
Avatar of NTIVER

ASKER

Nope - I am not using cookies anywhere on my pages.  The only place data gets written is to text files on the server, no client side data is stored.

Also, I have put this in the script as it builds the webpage to try and stop it caching:

<META HTTP-EQUIV="Expires" CONTENT="Fri, 12 Jun 1981 00:00:01 GMT">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">

Makes no diference though :(

Neil
Are you deleting this currentuser temp file after the second page loads or are you leaving the temp file intact?  I think this may be where your problem lies.  Could you go into more detail on the flow of your perl script(s) and what they're actually doing?  Do you really need this temp file?  Why not just pass the information to the next cgi script with hidden form fields?  Please clarify and I'll/we'll try to help you track down the bug.
Another option is to use one cgi/perl script to perform all functions and setup more of a state machine-type flow in your script.  This way you shouldn't have to use temp files.
Avatar of NTIVER

ASKER

OK, the user enters the first page (index.htm) and enters username and password from fields in a form.  The action on the form is a cgi script.  This script reads the username and password fields from the form, reads the users file (users.cgi) and compares the two values against each other.

If the two match, the current user (first name) is written to the current user file (currentuser.cgi).  The page is the re-directed to the main application screen (unless the username/password don't match, then you are redirected to the access denied page (accessdenied.htm).

Once at the main application screen (mainscreen.cgi) a new script reads the current user from the current user file,  then reads the user access file (useraccess.cgi) using the current user as the key - the contents of this file determin what the user has access to (menu's etc although these aren't set up yet).

My idea, was to make sure that people entered the main application screen via the username/password fields, and could not just go straight to the page.  I intend to clear out the current user file when a user clicks "logout" but I haven't done this part yet.

Additional info:

Once the second user has logged on (prior to clicking refresh), if I check the files on the system, they have all been updated correctly.  The current user file has the second user in it, so I know that these are working at the correct time, it's purely a browser refresh matter I think.

I have tested this on a colleague's Win XP machine, and his seems to update correctly without the refresh (although typical me, I can't remember what version of IE he has!).

Gor: Could you please explain more about the "state machine-type flow" you mention?

Also, if any body has other ideas either about why this may be happening or a better way of doing things, please let me know - I am relatively new to Perl still.

Thanks :)

Neil

ASKER CERTIFIED SOLUTION
Avatar of GorGor1
GorGor1

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I screwed up with my sample Main program code.  $page should not be initialized using 'my $page;'.  It should be initialized just like the rest of your parameters collected from the form:

my $page = param('page');

and in the form:

<input type="hidden" name="page" value = "x">
Avatar of NTIVER

ASKER

GorGor1:

I have found where the problem lied.  The redirection I was using was as follows:

The Perl script did the authentication against the username and password, then using "print" I built a small web page encompassing a javascript script that did a "window.location.replace()" statement to actually re-direct the browser depending on whether you authenticated or not.

I have found that by replacing this method with:

print "Location: xxx.cgi";

It works fine (why I bothered with JS I have no idea :)

So, although your suggestion wasn't the answer to my problem, I am going to change the way in which my whole application works, so that I use non-persistent cookies as you mention as I think this will be infinitely better.

Thank you to all the EE experts for your help and sugestions.

Regards,

Neil
No problem...glad I could help!
Avatar of NTIVER

ASKER

One other question, and I'll post it as a 'proper question' if you like, have you an example of the simplest, easiest, most straight forward script to create a cookie using perl?  I've downloaded about 5 examples from the web and they all see to have too much 'user-configurable' stuff in them.  I just want an example that writes one simple line away so that I can prove it works, then I can play with it later.

Can you help?

Thanks,

Neil.