Jerry:
I would use .htaccess and something like this:
if ($ENV{'REMOTE_USER'} eq "")
{
print "Something is wrong<BR>\n";
exit;
}else{$user_login=$ENV{'REMOTE_USER'};}
&connect_to_db;
&read_user_priveleges_from_db;
&set_action_flag_corresponding_to_priveleges;
# you can use action_flag like this
if ($action eq "delete")
{
if ($action_flag eq "user")
{
print "you cannot do this, pal\n";
exit;
}
elsif($action_flag eq "boss")
{
# do delete command
....................
.................
the trick here is to have programs run from the directory
below one where you place .htaccess, otherwise $ENV{'REMOTE_USER'}
is undefined
Hope it helps.
Regards,
A.Heiphetz
At 02:11 PM 8/10/99 -0700, Jerry Preeper wrote:
>Hi All,
>
>I was wondering how others might be handling the allowing of access to a
>perl script using a database that includes usernames and passwords.
>
>For example, I am working on a project where I have a perl program that
>will allow people to add to and edit listings in a list table. Each
>listing has a user id attached to it (users may have multiple listings) and
>there is a separate table for all these people that would include their
>contact info, their username and password. These are not people that would
>be in the mysql privileges table - it's a web based thing.
>
>What I want to be able to do is to have a login screen that they enter
>their username and password, which then determines what they are allowed to
>do. For example, they would only be able to edit certain items in existing
>records that they are the user id on and add new records (which would still
>need to be approved by an administrator). An administrator (who would also
>have a login) would be able to do lots of other things in the db. There is
>a field in the database that determines what level the person is when they
>log in based upon their username/password.
>
>My questions are:
>
>1) Should I use cookies to track their session or is there a better method?
> I understand I can set like a 60 minute cookie with a unique string
>containing their username and password that can be passed back and forth as
>they go through various screens. Is this reasonably reliable or is there a
>better method that holds their username and password as they go through
>various screens?
>
>Any perl examples of either would be greatly appreciated.
>
>2) One way encrypting of password vs two way. One thing I'm afraid of is
>that people will invariably lose their password and it would be nice to
>have a routine that they can have it emailed to the email address in the
>database. I'm guessing to do this, however, I would need to use an
>encryption scheme that can be used to encrypt and decrypt. Is this still
>reasonably secure? Or would it be preferable to stick with one-way
>encryption and if someone loses their password, just issue them a new one?
>I'm trying to automate as much as I can.
>
>3) Overall security. I don't want to put this behind a .htaccess file
>simply to avoid the extra steps. I also want to make sure people who are
>on webtv and things like that won't have problems with stuff like cookies
>either. The data in the file isn't super top secret but I would like to
>maintain a reasonably good level of security. Is there an advantage to
>putting it behind a secure server (https)? Any thoughts or comments would
>be appreciated.
>
>Thanks again.
>
>Jerry Preeper
>
>
>
>
>---------------------------------------------------------------------
>Please check "http://www.mysql.com/Manual_chapter/manual_toc.html" before
>posting. To request this thread, e-mail mysql-thread9867@stripped
>
>To unsubscribe, send a message to the address shown in the
>List-Unsubscribe header of this message. If you cannot see it,
>e-mail mysql-unsubscribe@stripped instead.
>
>
>
