document updated 16 years ago, on Dec 24, 2007
Problem:
- CGIWrap and .htpasswd don't work together. CGIWrap hooks into Apache earlier than the Apache
auth stuff. So... you have to roll your own for CGI scripts, I guess.
Solution:
- find a minimal session-management thingy, that allows for a centralized login page, and a way
to communicate that logged-in/not-logged-in to many different scripts
Possibilities:
- CGI::Session
CAVEAT EMPTOR:
http://www.perl.com/pub/a/2001/06/05/cgi.html
how best to implement login security and session management. Experience has taught me that
these are elements that are best excluded from your application code, and pushed into a
lower layer of your Web server.
If you are using the Apache Web server, and are interested in implementing login security
and session management, I encourage you to check out the various Apache::Auth* modules on
CPAN. These modules tie into the "Authentication" and "Authorization" phases of the
request. This code runs long before your CGI applications are called.
There are two primary advantages in placing your sessions and security code in this layer.
First, your security will work for all documents, not just Perl applications. Even static
HTML documents will be protected by this system. Second, putting sessions and security in
this layer will avoid an architecture where programmers have to include special code at the
start of their applications to participate in the sessions and security system.
(yeah, well, we haven't much choice... the above are certainly valid concerns, but are
almost completely unfulfillable in this situation)
=== Simply emulate the built-in .htpasswd ===
Yes, the basic authentication sucks, a LOT, but... is it possible to just use the existing
.htpasswd file, and just implement Basic HTTP Authentication within Perl itself?
http://search.cpan.org/dist/Authen-Htpasswd/
http://en.wikipedia.org/wiki/Basic_access_authentication
WWW-Authenticate: Basic realm="SokEvo"
==========================
Oh, fine, CGI::Auth::Basic looks like it does the job. It's NOT HTTP Basic-Auth, but it's designed
to be very simple, and that's what I need.
And this is how I created the .txt file with the crypted password...
sub Fcntl::LOCK_EX {2}
sub Fcntl::LOCK_UN {8}
my $auth = CGI::Auth::Basic->new(cgi_object => $cgi, file=>"$ENV{HOME}/.cgiPrivPass.txt");
$auth->_update_pfile("NEWPASSWORD");
exit;