http://www.perlmonks.org?node_id=398035


in reply to Re: Persistent login session with restricted access
in thread Persistent login session with restricted access

The way I've seen most successfully done is this:
  1. Have a set of runmodes that do what you want. They do not worry about security.
  2. Have a standard login page.
  3. Use the cgiapp_prerun() method to check if the person is logged in correctly. If they are not and they requested a page that requires being logged in, redirect them to the login page.
  4. Otherwise, you don't do anything. The user was validated correctly, so the normal flow of events should continue. I.e., the page requested should be rendered.

Your idea about having a separate file and all that ... why be so complicated? cgiapp_prerun() cannot be circumvented by the user. Your method, theoretically, can be, especially if you call another cgi script and return its return value.

Being right, does not endow the right to be rude; politeness costs nothing.
Being unknowing, is not the same as being stupid.
Expressing a contrary opinion, whether to the individual or the group, is more often a sign of deeper thought than of cantankerous belligerence.
Do not mistake your goals as the only goals; your opinion as the only opinion; your confidence as correctness. Saying you know better is not the same as explaining you know better.

  • Comment on Re^2: Persistent login session with restricted access

Replies are listed 'Best First'.
Re^3: Persistent login session with restricted access
by Anneq (Vicar) on Oct 11, 2004 at 03:11 UTC

    dragonchild,

    1. The reason I have a runmode for validation is because I want the user to be able to login or logout from any page, similar to the perlmonks site. So the "login" template component is part of every page rendered. After validation, the previously requested page is served up automatically without the user requesting it again. My default run mode is the only other one required at at the moment because it is the only one needed to serve up simple pages. Other run modes will be added as more complex functionaly is added to the site.
    2. As stated above, if a user requested a page that required authentication, they would get a notification that they must be logged in to view that page. After logging in, the previously requested page automatically displays without having to request it again.
    3. My cgiapp_prerun() only checks to see if the person is logged out and then resets the session and displays the home page. I didn't see the need to check if a person is logged in, because the site is based on levels of authorization (e.g., anonymous, members, executive, administrators). For example, users not logged in can access the anonymous level pages. My cgi page building module checks the authorization level of the user against that of the page to determine whether the page should be served. I looked into redirecting but didn't see how to do this in a way that made sense with how my site is structured. I suspect that I'm missing something here but I couldn't see how it would work for me. I use a CGI query parameter that is placed in the urls of dynamically generated navbars to indicate to my site what resourse is being requested. Since these are all, thus far, simple content without forms or other functionality, they are served by my default run mode. I wanted to keep it simple and it works so far. Maybe I'll see your point (and have to refactor the code) when I begin to add more functionality.

      4. I use a separate .htaccess file to prohibit people from guessing the layout of my content and typing in those guesses in the url, thus bypassing my index.cgi script. This was a security threat that I had to address and I couldn't think of any other way to do it. I'm not using HTTP Authentication.

      I'm still looking into redirecting, but I don't fully understand how to it properly in a way that makes sense here. Any advise would be appreciated.

      Thanks for your help,

      Anne

[reply]

In Section Seekers of Perl Wisdom