Password Protected Page

wyclef · July 28, 2004, 4:46pm

Hi,

Does anyone have any tips or links on how to create a simple password protected area? The one i’m using now works fine but once you are logged in and can see the url you can just copy and paste and access the page directly. Here is the Perl Script i’m using now…

#!/usr/bin/perl

use CGI
$cgi = CGI->new();

$username = $cgi->param(‘username’);
$password = $cgi->param(‘password’);

if ($username eq ‘myuser’ && $password eq ‘mypass’) {
print $cgi->redirect(‘myfile.html’);
} elsif ($username eq ‘otheruser’ && $password eq ‘otherpass’) {
print $cgi->redirect(‘otherfile.html’);
} else {
print $cgi->redirect(‘failure.html’);
}

Marble · July 28, 2004, 6:30pm

The basic logic of how to make a simple passworded area using php, well the way I would do it, would be like this:

post html form – username & password

verify against database, get IP and session ID. Make some hash out of the session ID and IP address and put it into a sessions table. Set a flag session variable to mark the user logged in.
So now you have this to verify user logged in:

Session variable logged in - true or false.
Session ID hash (we’ll call it $sid for now)

Then on every page that is protected, first see if the SESSION[‘logged_in’] == true. If not then redirect back to the login.php page.

If it is true, then from page to page you pass the $sid id like this:
sompage.php?sid=$sid

So on every password protected page you get that sid ID, then verify it against the sid in the database, with the current session and the IP address of the person accessing that page. If no matches, then send them to the login.php page…

This is kind of how phpBB does it.

So what you are missing is there is no way to verify whether the user is logged in or not on the password protected pages. The simplest is to just set some sessioin variable after you login so that it checks to see if that flag is marked true. But that is pretty easy to break thru, so using a Session ID with an IP address makes it a little more tougher.

wyclef · July 28, 2004, 6:40pm

is there a simple way to do it with .htaccess? or is there a way to improve upon my script?

ol4pr0 · July 28, 2004, 8:51pm

.htacces can be very secure… and is not hard to add. But like the way you wrote that perl. that is not a smart idea. (meaning, storing the usr / pw in the file itself )

wyclef · July 28, 2004, 9:05pm

is there a way to use htaccess and htpassword in conjunction with a form so i dont have to use the browser one?

Marble · July 28, 2004, 10:17pm

Not securely, as you would be passing the form data in plain text to the server.

wyclef · July 29, 2004, 2:39pm

but htaccess is secure even if u aren’t using https?

Marble · July 29, 2004, 4:45pm

But if you don’t use the default apache user / password prompt you do this:
http://user:[email protected]

wyclef · August 6, 2004, 2:13pm

i don’t understand what you mean

Hans_Kilian · August 6, 2004, 4:13pm

You can do access verification in Perl if you like.

Basically it involves this:

Check if the browser has provided a userid/password set. It’ll be in $ENV{‘HTTP_CGI_AUTHORIZATION’}
If no userid/password is present, ask for one by sending a reply with status 401 Authentication required
If a userid/password set is present, verify that they’re valid and show the page. If they’re not valid, show a page that tells the user that access is denied.

I’ve done this in PHP once, but never in Perl…