Hi Andy, It is possible to do all password management using CGI::App. I currently do this with a login module similar to Apache::Session (or CGI::Session) a Users module, and a subclass of CGI::App that I call "SecureApplication". The login module creates a user session which expires after specified amount of time. Each time the users intracts with any "SecureApplication" the session expiration time is reset in the prerun method. I wrote my own module to do this because I was having trouble with Apache::Session and CGI::Session on my development machine. (Mac OS X) User info such as username and password are associated with the session server-side in a cookie (stored client-side). Be sure to use a robust method to generate a session ID that is unique. Apache::Session has such a method. In the SecureApplication prerun mode, you can authenticate the user. Check to see that the session hasn't expired and then you can pull the username from the session as well if you need to do authorization. You could recheck the username and password (I do this) but I don't think it makes a difference. The key here is to use a session ID that is extremely difficult to guess, and to make sure session's expire for security reasons. Add a login_error method to SecureApplication that redirects to login.cgi?rm=login_error to keeps things modular. If you don't like all the junk in the URL then use LWP::UserAgent to "post" your "login_error" run mode to login module. The one feature missing from the above specification is the ability to resume your activity if you need to re-login. You get this feature for free if you use Apache to do your authentication. If you want this functionality it can be implemented by saving the operation information with the current (expired) session and passing an identifier to the login module. This approach is the least elegant aspect of using CGI scripts to do Authentication. Happy Holidays, -john --- Andy Taylor <suppressed> wrote: > I've been reading posts to this list for quite a while and appreciate > all the helpful discourse. I'm about to start a fairly large project > I think cgi::app will be good for but the authentication part is > proving a stumbling block. The advice of Jesse and others to leave > the authentication and authorization parts to the server - separated > from the main code make much sense to me. That said, I don't have the > option of installing mod_perl...the server my project will run on is > used by many others and it can't afford the memory hit as well as the > security issues that come with the shared environment. What I wanted > to ask the list is....have any of you had success using cgi:app with > some of the smaller more specific authentication/authorization apache > modules like mod_auth_mysql etc. that don't require mod_perl. I > envision having one separate module for logging in, another for > changing passwords/user info, and then the main application broken > down into several cgi:app's that don't contain any auth code. > --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/suppressed/ To unsubscribe, e-mail: suppressed For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.