I am writing a script for a company to use to manage a section of their website themselves. I have the script working, except I need some sort of authentication mechanism and I was wondering what my options were. This company is using their ISP for their hosting, and it's one of those really good ISP/really crappy webhost combinations. There is no secure server, no database, etc. and I was wondering what my options were. This script is not handling any sensitive information, I just want to make sure only authorized personel can run it. Thanks for your time.
Two options come to mind, first is the typical .htaccess password file method which if your ISP runs apache may be one of the easier solutions. Look at the docs on apache.org for .htaccess or htpasswd and you should see examples of how to set this up. Essentially it will protect a whole directory and will manage the session login for you. This does have limitations but not any that should affect what you have described.
The other would be to use some sort of cookie based login script which authenticates against a "database" which can be a flat text file, no networked database server is needed. With this approach you can get as complex as you want, for some people just knowing a "secret" page is enough to set the cookie, for others they check a username and password then set a cookie, if that cookie exists then they are authenticated, for others a username/password combination is needed, which then sets a hashed cookie consisting of the username, expiration, etc. and a secret token then used to recreate the hash to authenticate the user, preventing tampering. Go one step further and restrict only requests from certain IPs (again this is spoofable but is just one more obstacle to beating the security). In all of these cases the mechanism is the same, provide a page with a form, have a login script check the username and password that is stored on the local server and set a cookie then have each of your other scripts just check the cookie for authentication.
Note in both cases the password is viewable over the network connection so someone could snoop it, in which case you would need https.
I would give it a shot and see what you come up with, then come back with specific questions about implementation. Most CGI books will have a chapter or section on session management and authentication you might want to check one of them out at a bookstore or library....
http://danconia.org
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
