Streamlining login to Web site

For an existing suite of CGI scripts, I have
a task to improve the site's login access,
and I would like to know if CGI::Auth is
what I need.

Right now, the user must log in to gain
access to the main menu page, which is a
static HTML page. If he then clicks on
certain menu items that require
more privileged access, he will be
presented with the login dialogue again.
I understand how this has been set up by
configuring httpd.conf.

What I would like to do is determine the
user's access level at his initial login
and generate the appropriate main menu
page, thereby removing the need for any
further logins. If CGI::Auth is what I
need for this, are there any good tutorials
on using it, maybe with a really well
spelled-out example?

--
Charles Packer
http://cpacker.org/whatnews
mailboxATcpacker.org

On 2007-07-09 20:16, mailbox@cpacker.org <mailbox@cpacker.org> wrote:
> For an existing suite of CGI scripts, I have
> a task to improve the site's login access,
> and I would like to know if CGI::Auth is
> what I need.
>
> Right now, the user must log in to gain
> access to the main menu page, which is a
> static HTML page. If he then clicks on
> certain menu items that require
> more privileged access, he will be
> presented with the login dialogue again.
> I understand how this has been set up by
> configuring httpd.conf.

First, you should make yourself clear the difference between
authentitication and authorization:

* authentication is establishing who a user is.

* authorization is establishing what a user is allowed to do.

HTTP Basic authentication muddies the distinction both in the headers
(The server sends a WWW-Authenticate header and the client responds with
an Authorization header) and in the behaviour of the common browsers.

But it is still very useful to keep them apart.

In HTTP basic authentication, a user is identified by four pieces of
information:

1) The server (identified by protocol, server and port).

2) The Realm (as sent in the WWW-Authenticate header and specified in
the AuthName directive in Apache)

3) The user name (as sent by the client in the Authorization header).

These three pieces uniquely identify a user. If one of them is
different, it is a different user. For the user to prove that he really
this user (to "authenticate" itself), the fourth piece is needed:

4) The password (sent by the client in the Authorization header).

Once you have authenticated the user, you need to decide what he can do.
For example Alice may access directory directory A, but not Directory B,
while Bob may access both directories.

In the Apache config, this is done with allow/deny and require
directives.

Note that HTTP has no way to confer that a user has successfully
authenticated, but is not authorized to access some resource. Both a
failed authentication and an attempt to access a resource without proper
authorization result in a 401 code. So when the browser receives a 401
code, it doesn't know whether the user supplied a wrong username or
password or isn't allowed to access that resource. So it pops up a
dialog box asking for username and password in either case.



> What I would like to do is determine the
> user's access level at his initial login
> and generate the appropriate main menu
> page,

So you want to create a page containing only links which the user is
authorized to visit? Once a user has been authenticated, you can easily
do that if you know where the user has access (that sounds trivial, but
may not be - you may need to parse server config files and .htaccess
files to find out).

> thereby removing the need for any further logins.
> If CGI::Auth is what I need for this,

No. CGI::Auth is concerned with Authentication, not Authorization.

At first glance, CGI::Auth may help you in two aspects:

1) It doesn't use Basic Authentication, so you can distinguish between
lack of authentication and authorization - you can tell a user "you
aren't allowed to go there" without his browser losing the login
information.

2) Since you are doing authentication yourselves, you also need to edo
authorization - so if you want dynamic menus, you don't need to
parser your server config files to find out where the user is allowed
access.

But at second glance it is obvious that you don't need CGI::Auth for
this. You get the same effect if you use Apache only for authentication,
and do the authorization in your scripts.

hp


--
_ | Peter J. Holzer | I know I'd be respectful of a pirate
|_|_) | Sysadmin WSR | with an emu on his shoulder.
| | | hjp@hjp.at |
__/ | http://www.hjp.at/ | -- Sam in "Freefall"

On Jul 9, 6:16 pm, "Peter J. Holzer" <hjp-usen...@hjp.at> wrote:
> But at second glance it is obvious that you don't need CGI::Auth for
> this. You get the same effect if you use Apache only for authentication,
> and do the authorization in your scripts.

Ah, but I haven't figured out how my script can learn who the user is
after it's invoked following Basic authentication! If that information
is in the tutorials, I've missed it, somehow. That's why I went poking
around in the Auth documentation. Is the user name a variable in %ENV,
or where? Once I know the user, I can parse .htgroup, I guess, to
determine his access level and generate the appropriate menu.

--
Charles Packer
http://cpacker.org/whatnews
mailboxATcpacker.org

mailbox@cpacker.org wrote:

> On Jul 9, 6:16 pm, "Peter J. Holzer" <hjp-usen...@hjp.at> wrote:
>> But at second glance it is obvious that you don't need CGI::Auth for
>> this. You get the same effect if you use Apache only for authentication,
>> and do the authorization in your scripts.
>
> Ah, but I haven't figured out how my script can learn who the user is
> after it's invoked following Basic authentication! If that information
> is in the tutorials, I've missed it, somehow. That's why I went poking
> around in the Auth documentation. Is the user name a variable in %ENV,
> or where? Once I know the user, I can parse .htgroup, I guess, to
> determine his access level and generate the appropriate menu.

Hi

Yes, the username is in %ENV - REMOTE_USER I think, but if you dump the
whole of %ENV it will be obvious on sight.

That var is guaranteed correct by apache/mod_cgi, so if it is set, then that
is the username that apache authorised.

HTH

Tim

mailbox@cpacker.org wrote:
> For an existing suite of CGI scripts, I have
> a task to improve the site's login access,
> and I would like to know if CGI::Auth is
> what I need.
>
> Right now, the user must log in to gain
> access to the main menu page, which is a
> static HTML page. If he then clicks on
> certain menu items that require
> more privileged access, he will be
> presented with the login dialogue again.
> I understand how this has been set up by
> configuring httpd.conf.
>
If you are running Linux server and Apache then you can use ".htaccess"
files for authentication users. This is very simple and relative very
secure. All you must to do is configure Apache for this (in httpd.conf) and
create .htaccess and .htpassword files in directories you want to be
authenticated. All other work made Apache for you.
--

Petr Vileta, Czech republic
(My server rejects all messages from Yahoo and Hotmail. Send me your mail
from another non-spammer site please.)