Should I assume that most work done in perl/CGI is either 1) user initiated through a form; or 2) executed with a single script calling functions from other modules?

You've got it - both. :)

Re 1) Everything CGI is always in response to an http request, so in that sense it's user initiated (unless the page is being spidered by a bot or whatever, but you get the point). It doesn't make any difference to the script itself whether it gets its parameters from a form, or from a URL with extra stuff on the end (or maybe it doesn't take any parameters at all...)

Re 2) It's certainly normal practise to put code that you'll need in more than one script inside a module. That's pretty much what modules are for. You can use fork() and so on to go out to other scripts, but it's not a great idea - apart from anything it's pretty slow. If you need to start something running but you don't want to wait for it to finish before sending the page back to the user, then personally I'm a fan of Apache's callback system, which lets you run some more code after the page has been sent back to the user.

So anyway, yes, it seems to me that by far the better plan is to put the credentials-checking code in a separate module. Then you can call it from anywhere you like.

One approach to credentials-checking (and there are others) is to do an initial username/password login, then place a cookie in the user's browser that keeps them logged in for that session (the cookie should not contain the password - usually it's an MD5 hash or something like that).

The book 'Writing Apache modules with Perl and C' has lots of useful stuff on this kind of thing. Obviously it's more relevant to Apache than to other web servers. <grin>

One approach that can be used is to put the credentials-checking stuff in the Authentication/Authorization stages of the Apache request cycle. This is good because:

• It's a lot easier than it sounds
• It happens automatically for every request - so your normal scripts can get on with doing whatever they do, without needing to worry about whether the user is authenticated.

There's more info about how to do that, and some great examples, here (a chapter from the book named above). The basic example looks like this:

Listing 6.1: Simple access control 

 package Apache::GateKeeper;
 # file: Apache/GateKeeper.pm 
 use strict;
 use Apache::Constants qw(:common);
 
 sub handler {
     my $r = shift;
     my $gate = $r->dir_config("Gate");
     return DECLINED unless defined $gate;
     return OK if lc $gate eq 'open';
 
     if (lc $gate eq 'closed') {
         $r->log_reason("Access forbidden unless the gate is open", $r
+->filename);
         return FORBIDDEN;
     }
 
     $r->log_error($r->uri, ": Invalid value for Gate ($gate)");
     return SERVER_ERROR;
 }
 
 1;
 __END__


The .htaccess file that goes with it 
 PerlAccessHandler Apache::GateKeeper
 PerlSetVar Gate closed
[download]

(by Lincoln Stein and Doug MacEachern)
with this explanation for the codes passed to Apache:
DECLINED means that this handler doesn't deal with the request (instead control is passed to the next handler, if there is one)
OK means sure, let the user in
FORBIDDEN returns the 'access forbidden' error to the user's browser
SERVER_ERROR is obvious.

So in the real world you might first check whether the URL is one to which you want to control access (if it isn't then return DECLINED), check whether the user has the right credentials, if they do then return OK else return FORBIDDEN.

HTH!

Best wishes, andye