Re: CGI::Session file permission?
On 29 Mar, David Garamond wrote: Am I right to think that CGI::Session::File driver is insecure? It creates the session files with a hardcoded 0644 permission, while the synopsis/examples tell us to store the files in /tmp. You're right, the chmod mode is hard-coded. Do we desire a patch? -- Steven Schubiger [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
CGI::Session file permission?
Am I right to think that CGI::Session::File driver is insecure? It creates the session files with a hardcoded 0644 permission, while the synopsis/examples tell us to store the files in /tmp. Regards, dave -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
CGI::SESSION, mysql, storing session data
Hello,
I have to send this from my hotmail account, I apologize in advance if it's
completely unreadable;)
I am using CGI::Session, storing the session data in mysql. I am able to
store the appropriate values into the id and a_session columns. However, I
am also trying to store store group information in the session record.
There doesn't seem to be much to it, but obviously I'm missing something.
The column I created is called group_list and it is text. I thought I only
needed a single line of code to accomplish this:
$session-param(group_list, $groups). But it isn't working. Any help is
appreciated.
...
if (param('login')) {
$params{username} = UnTaint_Credentials($params{username});
$params{password} = UnTaint_Credentials($params{password});
my $ldap = Net::LDAP-new ($domain_controller ) or die $@;
my $mesg = $ldap-bind ($app_account,
password = $password,
version = 3 );
my $result = $ldap-search(
base = DC=corp,DC=workplace,DC=com,
filter = CN=$params{username},
attrs= [ distinguishedName, memberOf ],
scope= sub,
sizelimit = 5);
if ($result-count 1) {
$err = LDAP search on supplied username returned multiple entries.;
print_html();
}
my $dn = $result-entry(0)-dn();
my $groups = $result-entry(0)-get_value(memberOf);
$result = $ldap-bind ($dn,
password = $params{password},
version = 3 ) or die I am dead;
if ($result-code == 0) {
## bind successful, create session and store group info
## remember, authorization based on group membership handled by app
my $session = new CGI::Session(driver:MySQL, undef, {Handle=$dbh});
$session-expire('+1h');
$session-param(group_list, $groups);
$cookie = $q-cookie(CGISESSID = $session-id);
$cookie-secure('1');
}
else {
## bind failed
$err .= Authentication Failed. Please try again.;
}
}
_
Express yourself instantly with MSN Messenger! Download today - it's FREE!
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/ http://learn.perl.org/first-response
re: CGI::SESSION, mysql, storing session data
problem solved. reading the module docs like a technical manual instead of a comic strip seemed to help;) _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: CGI::SESSION, mysql, storing session data
On Thu, 11 Nov 2004 13:09:58 -0600, Harley Davidson [EMAIL PROTECTED] wrote: problem solved. reading the module docs like a technical manual instead of a comic strip seemed to help;) But you did not post the correction/solution=) So, others may be doomed to repeat... -- WC -Sx- Jones http://insecurity.org/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: CGI::SESSION, mysql, storing session data
But you did not post the correction/solution=)
sorry about that. The resolution was to re-read the section of the
cgi::session documentation which talks about the data table.
Session data is stored in the form of hash table, in key value pairs
I thought that the first argument to the param method was the column name.
It is actually the hash name. I didn't need to create a new column. That
data was being stored in the a_session column already.
I do have another question about cgi::session though. this login script
creates a session object ONLY if authentication succeeded. the user is then
redirected to the originally requested url (another perl script). I can't
figure out how I can validate the provided sessionID WITHOUT creating a new
session record in the database. Is it possible to do so using methods
provided by the library?
I ended up having to do the following:
## redirect to login if no session id
if (!$q-cookie(CGISESSID)) {
print
$q-redirect(-uri='https://hostname/cgi-bin/login.cgi',-status=302)};
my $sid = $q-cookie(CGISESSID) || undef;
my $session = new CGI::Session(driver:MySQL, $sid, {Handle=$s_dbh});
## created a new session means bad sessionID. redirect to login
if ($session-id() ne $sid) {
$session-expire('+1s'); # will want to delete this actually
print
$q-redirect(-uri='https://hostname/cgi-bin/login.cgi',-status=302);
}
_
Dont just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/ http://learn.perl.org/first-response
CGI::Session
Could anyone provide a working example of a simple script that uses use CGI::Session; I've tried playing with the examples at: http://search.cpan.org/~sherzodr/CGI-Session-3.95/Session/Tutorial.pm And either they are way out of date or I'm just a complete dufus... I got errors starting with this line in my test script: use CGI::Session; So I tried installing it with cpan using this line: cpan install CGI:Session And got this error: Warning: Cannot install CGI:Session, don't know what it is. So I tried using this in my script instead: use CGI-Session; The error went away but I can't seem to make any headway. I'd send my test script but none of it is working and I don't think it'd help much because it's based on the docs that are not up-to-date (or I'm just a complete dufus...) Thanks, Bill Stephenson -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: CGI::Session
On Mon, 11 Oct 2004 12:03:27 -0500 Bill Stephenson [EMAIL PROTECTED] wrote: So I tried installing it with cpan using this line: cpan install CGI:Session maybe try install CGI::Session -- -- Owen -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
CGI::Session and mysql dbh
If I store a dbh in a session as in, $session-param(DB,$dbh), what happen when the session expire due to expire setting? Will the dbh still be in memory or cleaned up? -thanks - eMail solutions by http://www.swanmail.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Determine return value of new CGI::Session(...)
How can I determine if the return value if it is a new or current session?
$session=new CGI::Session(driver:File, $cgi, {Directory='/tmp'});
This calls return a $session but I can't determin in the program if it was
new or current. I'm looking for something like below:
if($session=new CGI::Session(driver:File, $cgi, {Directory='/tmp'}))
{ print this is a new session; }
else
{ print this is a current session; }
thanks
-
eMail solutions by
http://www.swanmail.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Apache::Session vs CGI::Session?
Can someone comment on some advantages/disadvantages? Does opening a new browser causes a new session in either of the two? thanks - eMail solutions by http://www.swanmail.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cgi session
You can generate keep client's status (session) in URI or in cookies. In the case of URI it's quite simple: In the script login.cgi you just check if login correct and generate session string so link wil look like this http://www.mydomain.com/cgi-bin/next.cgi?session=567885734957345 Also you save session string into database with all requirement data. Of course you need to check in scipt next.cgi if session valid or not. If valid you can get all session data from your database. Admin-Stress [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... How can I check cgi session? mmm .. maybe better I explain like this: I just want to make a 'secure site' that need username and password. So, the first page of my site would be fill in you username and password, for example, it will be placed here : http://www.mydomain.com/login.html After that, I will call /cgi-bin/checkpasswd.pl, if OK then user will be transfered to another page, e.g.: http://www.mydomain.com/welcome.html My question, how can I make sure that ONLY ppl passed checkpasswd.pl can see that welcome.html (and the rest of page). It should be about checking 'session' or some other trick ... Anyone can give me pointer/clues how to do this? .. in a simplest way .. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cgi session
You can generate keep client's status (session) in URI or in cookies. In the case of URI it's quite simple: In the script login.cgi you just check if login correct and generate session string so link wil look like this http://www.mydomain.com/cgi-bin/next.cgi?session=567885734957345 Also you save session string into database with all requirement data. Of course you need to check in scipt next.cgi if session valid or not. If valid you can get all session data from your database. Admin-Stress [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... How can I check cgi session? mmm .. maybe better I explain like this: I just want to make a 'secure site' that need username and password. So, the first page of my site would be fill in you username and password, for example, it will be placed here : http://www.mydomain.com/login.html After that, I will call /cgi-bin/checkpasswd.pl, if OK then user will be transfered to another page, e.g.: http://www.mydomain.com/welcome.html My question, how can I make sure that ONLY ppl passed checkpasswd.pl can see that welcome.html (and the rest of page). It should be about checking 'session' or some other trick ... Anyone can give me pointer/clues how to do this? .. in a simplest way .. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cgi session
Here is a tutorial (written for the CGI::Session module) with a section on how to do membership style sites. http://search.cpan.org/author/SHERZODR/CGI-Session-3.11/Session/CookBook.pm#MEMBERS_AREA The basic idea is to set a subroutine (included in the tutorial) at the beginning of each protected script. Upon login cookie is set along with a flag in the user's profile that indicates the person is logged in, and each time the script runs the flag is checked to see if it is okay to proceed with the execution of the rest of the script. The only problem I have found with this tutorial is that it doesnt first give an example of how to get users to REGISTER with the system in the first place. After all, how can one login to an account if they havent had some way of registering for an account in the first place? At any rate, if anyone is interested in cranking out some studies on this module with me, then please let me know. I'm learning it too. Thanks, Will --- Vitaliy Babiy [EMAIL PROTECTED] wrote: You can generate keep client's status (session) in URI or in cookies. In the case of URI it's quite simple: In the script login.cgi you just check if login correct and generate session string so link wil look like this http://www.mydomain.com/cgi-bin/next.cgi?session=567885734957345 Also you save session string into database with all requirement data. Of course you need to check in scipt next.cgi if session valid or not. If valid you can get all session data from your database. Admin-Stress [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... How can I check cgi session? mmm .. maybe better I explain like this: I just want to make a 'secure site' that need username and password. So, the first page of my site would be fill in you username and password, for example, it will be placed here : http://www.mydomain.com/login.html After that, I will call /cgi-bin/checkpasswd.pl, if OK then user will be transfered to another page, e.g.: http://www.mydomain.com/welcome.html My question, how can I make sure that ONLY ppl passed checkpasswd.pl can see that welcome.html (and the rest of page). It should be about checking 'session' or some other trick ... Anyone can give me pointer/clues how to do this? .. in a simplest way .. __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cgi session
I just want to make a 'secure site' that need username and password. The easiest way to do this is probably not in perl. I recommend putting an .htaccess file in the directory where you have the file that you want password protected. This is a good method if you do not have the ability to configure the Apache server yourself. Here is more on the .htaccess file; http://httpd.apache.org/docs/howto/htaccess.html#what After that, I will call /cgi-bin/checkpasswd.pl, if OK then user will be transfered to another page This will happen if you protect a directory with the .htaccess file, once the user fills in their information they get into the directory and you can load index.html automatically. I hope this information is helpful. Jeremiah -- ___ http://www.freyafilm.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cgi session
Hi, How can I check cgi session? mmm .. maybe better I explain like this: I just want to make a 'secure site' that need username and password. So, the first page of my site would be fill in you username and password, for example, it will be placed here : http://www.mydomain.com/login.html After that, I will call /cgi-bin/checkpasswd.pl, if OK then user will be transfered to another page, e.g.: http://www.mydomain.com/welcome.html My question, how can I make sure that ONLY ppl passed checkpasswd.pl can see that welcome.html (and the rest of page). It should be about checking 'session' or some other trick ... Anyone can give me pointer/clues how to do this? .. in a simplest way .. Thanks, kapot __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cgi session
On Thu, 5 Dec 2002 at 10:39, Admin-Stress opined: [snip] A:I just want to make a 'secure site' that need username and password. So, the first page of my site A:would be fill in you username and password, for example, it will be placed here : A: A: http://www.mydomain.com/login.html A: A:After that, I will call /cgi-bin/checkpasswd.pl, if OK then user will be transfered to another A:page, e.g.: A: A: http://www.mydomain.com/welcome.html A: A:My question, how can I make sure that ONLY ppl passed checkpasswd.pl can see that welcome.html A:(and the rest of page). It should be about checking 'session' or some other trick ... [snip] can't you use an .htaccess file? -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cgi session
Admin-Stress wrote: Hi, How can I check cgi session? mmm .. maybe better I explain like this: I just want to make a 'secure site' that need username and password. So, the first page of my site would be fill in you username and password, for example, it will be placed here : http://www.mydomain.com/login.html After that, I will call /cgi-bin/checkpasswd.pl, if OK then user will be transfered to another page, e.g.: http://www.mydomain.com/welcome.html My question, how can I make sure that ONLY ppl passed checkpasswd.pl can see that welcome.html (and the rest of page). It should be about checking 'session' or some other trick ... Anyone can give me pointer/clues how to do this? .. in a simplest way .. Thanks, kapot isnt there a CGI::Session for your session management/auth issues? http://search.cpan.org/author/SHERZODR/CGI-Session-2.94/doc/Session.pod http://search.cpan.org/author/SHERZODR/CGI-Session-2.94/doc/cgisessioncook.pod chris -- --- Just Your Friendly Neighborhood _SPIDEY_ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Saving CGI session to DB
Hello, How can I save a CGI session to a db. I have only seen an example to a filehandle in the documentation. $query-save(FILEHANDLE) Thanks. --Kevin -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
