Phoenix.pm: Keeping track of web logins
Mike Cantrell
mikec at autodispatch.com
Wed Aug 2 10:39:33 CDT 2000
Much thanks Joel, and Jim. I'll give it a shot.
Regards,
Mike Cantrell
----- Original Message -----
From: "Joel Nelson" <joelnelson at home.net>
To: <phoenix-pm-list at happyfunball.pm.org>
Sent: Tuesday, August 01, 2000 9:20 PM
Subject: Re: Phoenix.pm: Keeping track of web logins
>
>
> Mike Cantrell wrote:
>
> > I'm wondering if someone out there has a good method of keeping track of
web
> > logins when going from page to page. I've ofter relied on .htaccess to
> > generate a $ENV{REMOTE} user to check against but what if you aren't
using
> > .htaccess and have a html based login form?
> >
> > 1) I've thought about setting temp cookies but that seems like a
security
> > problem and I'd rather not use cookies anyways.
>
> You can still solve it somewhat that way.
>
> > 2) creating hidden tags to pass along to the next page if it's a form
but
> > what if it's not a form? That also seems like a security problem.
>
> Not a good idea.
>
> > 3) encoding the login/passwd into the URL string but that seems to be a
> > security problem as well. Has anyone tried encrypting the login/passwd
in
> > the URL string? Is there any good doc's out there on doing such a thing?
>
> Same as the last one, no!
>
> > 4) I often see long sessionID variables in URL strings of sites I've
logged
> > into but I'm not sure what they are doing with it.
>
> That's sort of the .asp way. You could try Jim's suggestion and check out
> Apache::Session. I have not tried it. However, I do have a cookie way that
I
> kinda like. I converted a method I found somewhere on the PHP site.
Assuming
> your using perl, it goes something like this:
>
> We don't use the users password in the cookie at all for security reasons.
After
> they submit their name and password and it is verified against the
database, we
> use their login name encrypted with todays weekday name to create an
encrypted
> key stored as a cookie. Each time they access a page protected by the
script, we
> take the name and key from the cookies, create a new key based on todays
> weekname and their login name, and compare the newly created key with the
cookie
> key. If they are the same we don't need to check the database and we reset
the
> cookies. Even as I type it, it sounds confusing, but it works okay. I
pasted in
> the code we use. You'll figure it out. Hope it helps!!
>
> Joel
>
> ###########################################################
> # _Login.inc #
> # #
> # To be included in cgi scripts requiring member access. #
> # Exports: $memberSeq $memberName & $memberPassword #
> # #
> ###########################################################
> use DBI;
>
> #$byPassDbSecurity = 1;
>
> #------------------------------- Start of Main program loop
> ---------------------------#
> &_initialize;
>
> if (%memberInfo) {
> #print header,start_html,"cookie
> info:<br>name[$memberName]<br>key[$memberKey]",end_html; exit;
> if (&passesCookieSecurity) {
> &setCookieAndContinue;
> } else {
> &loginForm("Security Info changed, you must log in again!");
> }
> } elsif ($loggingIn) {
> #print header,start_html,"logging
> In:<br>name[$fMemberName]<br>key[$fMemberKey]",end_html; exit;
> if (&passesDbSecurity) {
> &setDbCookieAndContinue;
> } else {
> &loginForm("Login Error");
> }
> } else { &loginForm() }
>
> #-------------------------------- End of Main program loop
> ---------------------------#
>
> #--------------------------------- Start of sub-routines
> -----------------------------#
>
> #<----------------------------------------------------------------------
> initialize -->
> sub _initialize {
> # Do we already have cookie info? If so, set member variables
> %memberInfo = cookie('memberInfo');
> if (%memberInfo) {
> $memberName = $memberInfo{'memberName'};
> $memberSeq = $memberInfo{'memberSeq'};
> $memberKey = $memberInfo{'memberKey'};
> $parentSeq = $memberInfo{'parentSeq'};
> }
> %memberPrefs = cookie('memberPrefs');
> if (%memberPrefs) {
> $memberCompany = $memberPrefs{'memberCompany'};
> $memberType = $memberPrefs{'memberType'};
> }
>
> # Do we have form variables? If so, we're logging in
> $fMemberName = param('fMemberName');
> $fMemberPassword = param('fMemberPassword' );
> if ($fMemberName && $fMemberPassword) { $loggingIn = 1 }
> $fMemberCompany = param('fMemberCompany');
> $fMemberCompany = $memberCompany unless ($fMemberCompany);
> $fMemberType = $memberType unless ($fMemberType);
>
> # Set general script variables
> $script = script_name unless $script;
> }
>
> #<-----------------------------------------------------
passesCookieSecurity -->
>
> sub passesCookieSecurity {
> my @days =
> ('sunday','monday','tuesday','wednesday','thursday','friday','saturday');
> my @time = localtime(time);
> my $cryptKey = $days[$time[6]];
> if ($memberKey eq crypt($memberName,$cryptKey)) { return 'true'; }
> }
>
> #<-----------------------------------------------------
setCookieAndContinue -->
>
> sub setCookieAndContinue {
> my $cookie =
>
cookie(-name=>'memberInfo',-value=>\%memberInfo,-expires=>'+8h',-path=>'/');
> my $cookie2 =
>
cookie(-name=>'memberPrefs',-value=>\%memberPrefs,-expires=>'+1y',-path=>'/'
);
> print header(-cookie=>[$cookie,$cookie2]);
> }
>
> #<---------------------------------------------------------
passesDbSecurity -->
>
> sub passesDbSecurity {
> if ($byPassDbSecurity) { return 'true'; }
> else {
> $dbh = DBI->connect($dataSource,$dbUser,$dbPassword) || die("SQL
Error:
> ".$dbh->errstr);
>
> # Is this login a company/agency?
> if ($fMemberType eq 'company') {
> $query = "select c.name,u.userSeq,u.companySeq,u.name,u.password
from user
> u, company c where c.companySeq = u.companySeq and u.name = '$fMemberName'
and
> c.name = '$fMemberCompany'";
> } else {
> $query = "select c.name,u.agentSeq,u.agencySeq,u.name,u.password
from
> agent u, agency c where c.agencySeq = u.agencySeq and u.name =
'$fMemberName'
> and c.name = '$fMemberCompany'";
> }
>
> my $sth = $dbh->prepare($query);
> $sth->execute;
> $errorMsg = $dbh->errstr();
> if ($errorMsg) { $error = "$errorMsg"; }
> else {
> my $numrows = $sth->rows;
> if ($numrows == 0) {
> $error = "Member [$fMemberName] name not found. Remember, name and
> password are CaSe sensitive!";
> }
> }
>
> if (!$error) {
> my @row = $sth->fetchrow;
> if (lc($row[0]) ne lc($fMemberCompany)) {
> $error = "Invalid company for user [$fMemberName]!";
> }
> if ($row[4] ne $fMemberPassword) {
> $error = "Password incorrect for member [$fMemberName]. Remember,
name
> and password are CaSe sensitive!";
> }
> $memberSeq = $row[1];
> $parentSeq = $row[2];
> }
>
> if (!$error) { return 'true'; }
> }
> }
>
> #<---------------------------------------------------
setDbCookieAndContinue -->
>
> sub setDbCookieAndContinue {
> my @days =
> ('sunday','monday','tuesday','wednesday','thursday','friday','saturday');
> my @time = localtime(time);
> my $cryptKey = $days[$time[6]];
> $memberInfo{'memberName'} = $fMemberName;
> $memberInfo{'memberSeq'} = $memberSeq;
> $memberInfo{'memberKey' } = crypt($fMemberName,$cryptKey);
> $memberInfo{'parentSeq' } = $parentSeq;
> my $cookie =
>
cookie(-name=>'memberInfo',-value=>\%memberInfo,-expires=>'+8h',-path=>'/');
> $memberPrefs{'memberCompany'} = $fMemberCompany;
> $memberPrefs{'memberType'} = $fMemberType;
> $memberType = $fMemberType; # Needed for changing from one user type to
> another
> my $cookie2 =
>
cookie(-name=>'memberPrefs',-value=>\%memberPrefs,-expires=>'+1y',-path=>'/'
);
> print header(-cookie=>[$cookie,$cookie2]);
> }
>
> #<------------------------------------------------------------------------
Show
> Form -->
> sub loginForm {
> #Delete existing cookie info
> my %memberInfo;
> $cookie =
>
cookie(-name=>'MemberInfo',-value=>\%memberInfo,-expires=>'-1h',-path=>'/');
>
> print
> header(-cookie=>$cookie),
> start_html(-link=>'cyan',-vlink=>'cyan'),"\n",
> "<center>\n",
> "<table border=0 bgcolor=#333366 cellpadding=5 cellspacing=0
width=80%>\n",
> " <tr>\n",
> " <td>\n",
> " <center><font face=arial color=white><font size=+1>Our
> Company</font><p>You have accessed a members only area. If you are\n",
> " already a member you can login below. Membership is <b>FREE</b>
and
> takes only\n",
> " a couple of minutes.<br><a href=/cgi-bin/connect/signup.cgi>Click
> here</a> to sign up!<font></center>\n",
> " <td>\n",
> " </tr>\n",
> " </table>\n",
> "</center>\n",
> " <center>\n";
> if ($error) { print "<br><font color=red>$error</font><br>\n"; }
> print start_form(-method=>'post',-action=>$script);
> if ((!$fMemberName)&&($fMemberPassword)) { print "<center>Oops,
missing
> Name! </center>\n",br; }
> if (($fMemberName)&&(!$fMemberPassword)) { print "<center>Oops,
missing
> Password! </center>\n",br; }
> print
> "<table border=1 cellpadding=0 cellspacing=0 bgcolor=cccccc>\n",
> " <tr><td>\n",
> " <table>\n",
> " <tr>\n",
> " <td colspan=2 align=center><font face='arial'>" .
> ucfirst($fMemberType) . " Login</td>\n",
> " </tr>\n",
> " <tr>\n",
> " <td align=right><font face='arial' size=-1><NOBR><b>Member
> Name: </NOBR><br></td>\n",
> "
>
<td>",textfield(-name=>fMemberName,-size=>30,-value=>$fMemberName),"<br></td
>\n",
>
> " </tr>\n",
> " <tr>\n",
> " <td align=right><font face='arial'
> size=-1><b>Password: <br></b></font></td>\n",
> "
>
<td>",password_field(-name=>fMemberPassword,-size=>30,-value=>$fMemberPasswo
rd),"<br></td>\n",
>
> " </tr>\n",
> " <tr>\n",
> " <td align=right><font face='arial' size=-1><NOBR><b>Company
> Name: </NOBR><br></td>\n",
> "
>
<td>",textfield(-name=>fMemberCompany,-size=>30,-value=>$fMemberCompany),"<b
r></td>\n",
>
> " </tr>\n",
> " <tr>\n",
> " <td colspan=2 align=right><input type='Submit' value='Log
> In'><br></td>\n",
> " </tr>\n",
> " </table>\n",
> " </tr></td>\n",
> "</table>\n",
> end_form,
> " </center>\n",
> end_html;
> exit;
> }
>
>
More information about the Phoenix-pm
mailing list