> I wrote a perl web application, and now I want > to add authentication to it. After some thought I > decided to do a textfile based authentication. > I wrote a script which asks for a username and password, > and the passwd file gets appended with username and > crypt(ed) password.
Depending on what you're trying to secure, that can be adequate. But, be sure that you're handling the case where two users try to add passwords at the same time. In general, authentication is not a trivial problem. If you can leverage the web server, it will save you a lot of work. (For apache, http://httpd.apache.org/docs/howto/auth.html is a good starting point) > I also wrote the web authentication part, where a form accepts a > username and password, and then reads the passwd file, and checks if > the passwd is correct or not. > > Now If the password is correct, I want to redirect the user to my > application. How can I do this? Respond with an HTTP 302 redirect. CGI.pm's redirect() should be able to take care of this for you. > Also how can I prevent the user from directly executing the main > script(webapp). Is there a way I can maintain a session, and in the > beginning of each script check if session is valid or not? The general idea is to set a session cookie with an authentication token when the user enters proper credientials. In each successive request, you validate the token. If the token is valid, let the user proceed. If not, bounce the user back to the login page. Now, what's an authentication token? This depends on how far you want to carry it. For example, you might concatenate hash of username:login time:IP address:checksum of previous 3 tokens base64 encode this, and send it as the token cookie value. When receiving the authentication cookie, verify everything. (Disclaimer - I came up with this recipie from out of the blue. You can get as creative as you want - even to the point of writing a separate "token server" whose sole purpose is to issue and validate these things. If what you're protecting is really important, assume that some of your users are mischievous enough to use an injection proxy to mess with the authentication cookie -- be sure that you can detect tampering). -- Steve Revilak _______________________________________________ Boston-pm mailing list [EMAIL PROTECTED] http://mail.pm.org/mailman/listinfo/boston-pm
