http://qs321.pair.com?node_id=7365

rodry has asked for the wisdom of the Perl Monks concerning the following question: (cgi programming)

I have a database that has login information (such as username and password) that is used to allow the user to get to some pages and documents that are otherwise restricted. How do I make sure that these documents are not accessed in any way other than the login screen? I know this has to do with managing user sessions. Please point me to any related literature.

Originally posted as a Categorized Question.

Replies are listed 'Best First'.
Re: How can I authenticate HTTP sessions ?
by comatose (Monk) on Apr 12, 2000 at 16:25 UTC

    There's a few different ways to track user sessions, so you'll need to assess exactly which one is best for your needs. This is covered by an entire chapter in O'Reilly's Writing Apache Modules in Perl and C. I'll recap a few of the methods that don't absolutely require mod_perl.

    Hidden tags - Each page is generated via a script of some type. Store the userid and such in hidden input tags of a form. This method generally only works with a linear flow of pages.

    Cookies - This is probably the quickest and easiest to implement based on what you are asking for. Once they login, set a session-based cookie (goes away when they close their browser) that marks them as logged in. Of course, if someone has cookies turned off, this one isn't going to work.

    Database - Store whether they are currently logged in with a database. You have to combine this with one of the above methods to keep track of a session ID. You can also keep track of the session ID in a query string on the end of your URLs.

Re: How can I authenticate HTTP sessions ?
by btrott (Parson) on Apr 12, 2000 at 19:38 UTC
    To really protect those documents, you'll probably need to basically re-authorize the user on each request. You can either roll your own authentication, or you can use the HTTP basic authentication scheme.

    If you choose the former, you'll probably want to have a login screen; then authenticate the user, set a cookie, and let the user view the documents. On each request for a document, check for the authentication cookie: if it exists, let the user view the doc; if it doesn't exist, make the user log in again.

    If you choose to go with basic authentication, you'll want to authenticate out of your database, since you already have the username/password info in there. Check out Apache::AuthDBI (on CPAN) for doing basic authentication out of a database for which you have a DBI driver.

Re: How can I authenticate HTTP sessions ?
by mezhaka (Initiate) on Oct 28, 2005 at 11:12 UTC
    here's a solution based on CGI::Session module