Re: log-in/out w/o cookies

Sat, 13 Apr 2002 11:34:54 -0700 

What I've done is:

1) have login page w/ hidden input name="formname" w/ some value leads to
2) cgi prog that cks that formname eq "some value" and the username & 
password1 and password2 first
    exists:

    *unless ($informname eq "some value" && (-e $inusername) && (-e 
$inpassword1) && (-e $inpassword2))

    Then ck $inusername & $inpassword1 & $inpassword2 matches database values.

    Then print html form w/ hidden values that get passed onto your 
real cgi prog which again cks for the *new html formname eq value and 
that the username and password1 exists.

Any thoughts on the security risks or otherwise is welcome...


>Folks,
>
>A basic question about implementing user authentication by means of 
>CGI (and Perl if recommended):
>
>I haven't found a script online or in a book that will do what I 
>want (see below). HTTP Basic Authentication doesn't provide for 
>explicit log-out. I'd rather not use cookies so users behind proxies 
>won't have trouble with this site.
>
>Can anyone tell me:
>A. can it be done securely w/o huge program, incredible CGI/Perl 
>skill, or server hacking?
>B. Where a concept/code starting point could be found? (URL or book 
>- I don't want a specific code answer at this point.)
>
>Thanks in advance for your time on this one,
>
>4
>
>My criteria:
>
>I. Account structure I want:
>unique user accounts
>users are members of groups (a la Unix)
>use of HTTP's ".passwd" is OK
>
>II. Platform I'd use:
>OS: Win, Unix, or Linux
>Server: Apache or IIS
>Dev.: MacPerl5
>
>III. Security of log-in:
>secure transmission of username & password
>
>IV. Behaviour I want:
>1. (from public web page) All users see username/password log-in fields.
>2. Rejected log-in gets error message (page or pop-up) and is 
>returned to log-in page.
>3. successful log-ins sent to username-specific page. This page and 
>all others exclusively for this user account are visible only this 
>user (except those pages appropriate to this user's group).
>4. (from any of this user's pages) Log-out by clicking "log-out" link.
>5. Logged-out users sent to some public "thank you/farewell" page on site.
>--
>--
>
>(207) 874-0678
>[EMAIL PROTECTED]
>
>--
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]


-- 
-------------------------------
-  Teresa Raymond             -
-  Mariposa Net               -
-  http://www.mariposanet.com -
-------------------------------

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to