Jon J schrieb:
> That is what I did for our site. We have a members only section that
> allows them to have web access to some configurable pieces of their
> services. We store their encrypted account password as a column in the
> table that hold account info. When they try to access the protected area,
> the module steps in a prints out a form for authentication. It takes in
> its stuff and compares it to what it should be as returned by the db and
> either rejectes them or assigns them a cookie with a random token that is
> also stored in the db. If they try to access the area and the module sees
> that they have such a cookie it tests the token to see if its still valid
> and the process behaves pretty seamlessly. Its also a good method cause
> you can add alot of proprietary type functions for extra security,
> tracking, etc. Unfortunately I do not have a test account that you could
> examine the interface through. If you need any help or have any questions,
> I may be able to provide assistance though.
>
> On Tue, 26 Oct 1999, James G Smith wrote:
Well correct me if I´m wrong, but would be a protected directory in your htdocs-tree
enough? I have a site running from a postgres database where people can change the
contents if they have an account. I set up a protected dir where the mod_perl
scripts live plus a handler for all the files in that directory that authentificates
a user against the entries in a postgres table. Now one could add fields for that
table with expiery-date and so on. The handler ist very simple and looks like this:
package Apache::AuthMe;
# file: Apache/AuthMe.pm
use strict;
use Apache::Constants qw(:common);
use Postgres;
sub handler {
my $r = shift;
my($res, $sent_pw) = $r->get_basic_auth_pw;
return $res if $res != OK;
my $username = $r->connection->user;
my $db=db_connect("xyz");
my $passwordcheck = $db->execute("Select * from abc where
abc.username='$username';");
my ($user, $pwd) = $passwordcheck->fetchrow();
if ($sent_pw eq $pwd){
return OK;
}else{
$r->note_basic_auth_failure;
$r->log_reason("Access disabled, Reason: $sent_pw is not valid",
$r->filename);
return AUTH_REQUIRED;
}
}
1;
~
If you add a timestamp field plus a line like $time = time(); you can compare this
values...
Hope this helps
-Sebastian-
--
--- Achtung, die Tel.-Nr. haben sich geändert ---
Sebastian Ahrens
Ruhr-Universitaet Bochum
Dez. 2 - BIF
D-44780 Bochum
Tel.: 0234/322-6182
Mobil: 0170/2865291
Fax : 0234/3214-684
EMail: [EMAIL PROTECTED]
WWW: http://www.ruhr-uni-bochum.de/rub-bif
