CGI Authentication form passthrough question

[Michal Wallace (sabren)]

On Fri, 19 May 2000, David Rock wrote:

> I am trying to write a CGI script to check authentication for a
> website, but I have a problem.

[snip]

> 2.  Write a file with a random key value that gets passed along as a
> hidden item in a form. When the form runs the next cgi script, it
> looks for the key value in the file and compares the two. Since
> this would be a date-based seed, the key would always be different
> (but how do you know when to get rid of the key file? The process
> would be dead as soon as the HTML is generated)

Hey David,

What you want is true session support. Create a random value once for
the session and either a) set a cookie, or b) put it as a parameter in
every single URL on the site, so that no matter what people click on,
it passes the value along.  

The benefit of a) is that you can remember who's logged in even if
they leave the site and come back... The benefit of b) is that not
all people allow cookies. The best approach may be a hybrid: use
cookies, but if they don't have it, fall back on sticking the
session ID in the URL..

BTW: it lets the keys pile up (in a file, or dbm or relational
database), and then eventually deletes the old ones.

It just so happens that there's a package that does all this for
you.. It's called weblib. http://weblib.sourceforge.net/ ..  Grab the
CVS version, because the docs and snapshot are a few weeks out of
date. If it looks like something you want, I'll be happy to answer
any questions you might have.


Cheers,

- Michal
-------------------------------------------------------------------------
http://www.manifestation.com/         http://www.linkwatcher.com/metalog/
-------------------------------------------------------------------------