http://qs321.pair.com?node_id=1223033


in reply to with CGI, How to have multiple usernames and passwords from a txt file (password.txt) file

Some side notes, storing your passwords.txt in /tmp isn't wise, nor is having passwords in plain text. You use CGI then manually print headers. You don't set a session, so after you validate the login details you redirect to a URL which isn't ensuring the visitor is logged in. Make life easy on yourself, see CGI::Alternatives.

  • Comment on Re: with CGI, How to have multiple usernames and passwords from a txt file (password.txt) file

Replies are listed 'Best First'.
Re^2: with CGI, How to have multiple usernames and passwords from a txt file (password.txt) file
by theravadamonk (Scribe) on Sep 28, 2018 at 08:08 UTC

    "storing your passwords.txt in /tmp isn't wise"

    I move it to /etc/httpd/password.txt

    "You don't set a session"

    how to set a session? Pls guide me. I will add it.

    "see CGI::Alternatives."

    What Can I get from it to enhance the code?

    I am runnig Apache with http. If run it with httpS and self signed certificate , Will it be better?

    I am also trying to add "onclick"funtion to my below login.html file to a give error message, if wrong inputs were entered. I am currently having them in login.cgi code. which way is better?

     <INPUT TYPE = "SUBMIT" VALUE = "Enter">

    [download]

    I am some miles away from completing a nice and secure code..

    I hope perl monks will come up with their views..

[reply]
[d/l]

      "I move it to /etc/httpd/password.txt"

      Also consider permissions, who else can get access to this file? I tend to keep this sort of thing in a database.

      "What Can I get from it to enhance the code?"

      Well it contains a lot of advice which you shouldn't ignore, examples of sane ways to approach such problems in modern frameworks.. Developing secure web applications isn't easy. What you have right now is a splash page redirecting those with a valid username and password to another page, which has no authentication on it whatsoever, nothing to stop anyone emailing the URL to someone else, who would be able to see it without any login details.

      CGI::Alternatives suggests other ways to achieve what you're actually trying to do, which will make your life easy if you take the time to learn the basics of what you're doing, rather than trying to implement something where security is "a MUST" without understanding such things. One of those is Mojolicious, which has fantastic documentation, you should pay special attention to the Basics. Tutorial gets you started. Growing goes on to show (wait for it) an example of how to implement an application which requires users to login. Finally HTTPS, for sure, https://letsencrypt.org/ may be of interest.

      This requires you to invest time in yourself, learning how to achieve what you want and what the tools available to you do. Modern frameworks make life easier. It's not the mid 1990s anymore (thankfully).

      Update: Fixed some typos.

[reply]
      I am runnig Apache with http. If run it with httpS and self signed certificate , Will it be better?

      Yes it will because then your users' passwords will not be sent over the wire in the clear for any malefactor to read. It would be better still if your certificate were not self-signed.

      I am also trying to add "onclick"funtion to my below login.html file to a give error message, if wrong inputs were entered. I am currently having them in login.cgi code. which way is better?

      Both is better. Having it on the front-end prevents unnecessary round trips. Having it on the back-end too allows handling for those with javascript disabled.

      Note that neither of these questions have much to do with Perl. You might benefit from reading up on the general basics of web server (and web application) security first.

[reply]
A reply falls below the community's threshold of quality. You may see it by logging in.

In Section Seekers of Perl Wisdom