...

View Full Version : Perl Session Variables/Admin Privileges



pppebble88
11-13-2009, 04:47 PM
Hello,

I am trying to figure out how to have a perl script determine what display on an HTML page. The idea is that when a person logs in, their "role" is retrieved from a mySQL database. That role is then stored in a session variable. Based on the role being "general" or "admin," determines whether or not they have access to the link "Insert.html" If they are an admin, I want the link to to be displayed...If they are not an admin, I don't want them to see it. Is this possible using Perl?

Also, how can I prevent them from being able to hard-code the link in there as well?

Thanks a lot.

FishMonger
11-13-2009, 09:28 PM
Hello,

I am trying to figure out how to have a perl script determine what display on an HTML page. The idea is that when a person logs in, their "role" is retrieved from a mySQL database. That role is then stored in a session variable. Based on the role being "general" or "admin," determines whether or not they have access to the link "Insert.html" If they are an admin, I want the link to to be displayed...If they are not an admin, I don't want them to see it. Is this possible using Perl?

Yes, that is fairly easy to do in Perl, once you understand how to work with sessions.

See:
CGI::Session http://search.cpan.org/~markstos/CGI-Session-4.42/lib/CGI/Session.pm

CGI::Session::Tutorial http://search.cpan.org/~markstos/CGI-Session-4.42/lib/CGI/Session/Tutorial.pm

For the HTML side, I'd use:
HTML::Template http://search.cpan.org/~samtregar/HTML-Template-2.9/Template.pm

CGI http://search.cpan.org/~lds/CGI.pm-3.48/lib/CGI.pm

pppebble88
11-13-2009, 10:40 PM
Thanks for the help...Question: For the HTML::Template, is the actual link going to be http://www.#####.com/test.tmpl? It seems like I have never seen an address such as that, but they have always been .html pages. Thanks.

FishMonger
11-13-2009, 11:18 PM
Assuming a default apache configuration, the url would be http://www.mydomain.com/cgi-bin/test.pl

However, with url rewriting and other apache directives, the url could simply be http://www.mydomain.com/test.htm or http://www.mydomain.com/test.pl or even just http://www.mydomain.com

pppebble88
11-13-2009, 11:26 PM
you mention URL rewriting, etc...Is this part of the Session and Template tutorials, or is that something different? Sorry, I am just new to all of this...Thanks

FishMonger
11-14-2009, 12:12 AM
No, it's not part of CGI::Session

http://en.wikipedia.org/wiki/Rewrite_engine

http://httpd.apache.org/docs/2.0/misc/rewriteguide.html

For now, I wouldn't worry about url rewriting. First get your site designed and working the way you want, then look into the apache directives.

pppebble88
11-14-2009, 07:24 AM
Here is what I have so far...For some reason, instead of storing the cookie and redirecting to the proper page, it shows the following:


Set-Cookie: Role=Super; expires=Sat Nov 14 08:21:32 2009; path= Location: http://www.address to go to.com

The code is below:


#!/usr/local/bin/perl


# PERL MODULES WE WILL BE USING
use DBI;
use DBD::mysql;
use CGI qw( :standard );
use CGI::Carp qw(fatalsToBrowser);

print "Content-type: text/html \n\n";

$userPassed = param("userID");

# CONFIG VARIABLES
$platform = "mysql";
$database =
$host =
$port =
$tablename =
$user =
$pw =

# DATA SOURCE NAME
$dsn = "dbi:$platform:$database:$host:$port";

# PERL DBI CONNECT
$connect = DBI->connect($dsn, $user, $pw)
or die "Connection Error: $DBI::errstr\n";

# PREPARE THE QUERY
my $query = "SELECT * FROM $tablename WHERE User = '$userPassed'";
my $query_handle = $connect->prepare($query);

#print ($query);

# EXECUTE THE QUERY
$query_handle->execute();

while (@row = $query_handle->fetchrow_array) {
$roleIn = "$row[2]";
#print ("$roleIN");
}

$expires = gmtime( time() + 3600 );
print( "Set-Cookie: Role=$roleIn; expires=$expires; path=\n" );

print "Location: http://www.address to go to.com";

# HTTP HEADER
#print( header() );
#print ( start_html() );

# Print XHTML footer
#print ( end_html() );

Any ideas? Thanks a lot.

FishMonger
11-14-2009, 11:55 AM
Don't print the HTML headers.

The first print statement should be the redirection.

http://search.cpan.org/~lds/CGI.pm-3.48/lib/CGI.pm#GENERATING_A_REDIRECTION_HEADER

pppebble88
11-14-2009, 01:34 PM
How does it store the cookie if the redirect is the first thing printed? Below is the code i have...It works (by works, I mean it redirects properly)...

Question: How can I retrieve the cookie set in this perl program using javascript, and then use that javascript to determine what to display? Is this a workable/good solution?

Thanks. Code is below.


#!/usr/local/bin/perl


# This page was created and worked on by 2/C Collard, 2/C Waymouth, 2/C Troisi, and 2/C Cunha
#source: http://forums.speedguide.net/showthread.php?t=190821

# PERL MODULES WE WILL BE USING
use DBI;
use DBD::mysql;
use CGI qw( :standard );
use CGI::Carp qw(fatalsToBrowser);

#print "Content-type: text/html \n\n";

$userPassed = param("userID");

# CONFIG VARIABLES
$platform = "";
$database = "";
$host = "";
$port = "";
$tablename = "";
$user = "";
$pw = "";

# DATA SOURCE NAME
$dsn = "dbi:$platform:$database:$host:$port";

# PERL DBI CONNECT
$connect = DBI->connect($dsn, $user, $pw)
or die "Connection Error: $DBI::errstr\n";

# PREPARE THE QUERY
my $query = "SELECT * FROM $tablename WHERE User = '$userPassed'";
my $query_handle = $connect->prepare($query);

#print ($query);

# EXECUTE THE QUERY
$query_handle->execute();

while (@row = $query_handle->fetchrow_array) {
$roleIn = "$row[2]";
#print ("$roleIN");
}

$query = new CGI; # create a new CGI object
$cookie = $query->cookie ( -name => 'Role',
-value => '$roleIn',
-path => '/',
-expires => '+60m');

$location = '';

print $query->header(-cookie=>$cookie);
print qq{<meta http-equiv="REFRESH" content="0;URL=http://www.togoto.com">\n};

# HTTP HEADER
#print( header() );
#print ( start_html() );

# Print XHTML footer
#print ( end_html() );

FishMonger
11-14-2009, 01:54 PM
The first thing to decide on is do you want to use client side cookies or server side sessions as indicated in your original post?

If you're going to use server side sessions, then sending the cookie is optional, but if used, it only stores the session id.

bazz
11-14-2009, 02:27 PM
it'll depend on whether you use server-side sessions or not but, instead of printing the cgi->header(); you could print $session->header();

Then you can add things to the session (or delete them) and I think you can then redirect if you want.

hth

bazz


print $cgi->header(); is used instead of print "Content-type: text/html \n\n";

FishMonger
11-14-2009, 02:36 PM
Here's an example pulled from one of my production scripts.



#!/usr/bin/perl

use warnings;
use strict;
use DBI;
use CGI;
use CGI::Carp qw(fatalsToBrowser warningsToBrowser);
use CGI::Session;
use HTML::Template;
use Crypt::PasswdMD5;

my $title = 'Email Administration Login';
my $cgi = CGI->new;
my $session = CGI::Session->new or die CGI::Session->errstr;
my $template = HTML::Template->new(
filename => '../../html/emadmin/login.tmpl',
associate => [$session],
die_on_bad_params => 0,
global_vars => 1,
cache => 0,
);

$SIG{__DIE__} = \&dying;

#$session->clear(['admin', 'logged_in']) if $cgi->param('logout');
$session->clear if $cgi->param('logout');
$session->param('hostname', `hostname`);


# is user logging-in
if ( $cgi->param('Login') ) {
my $home = 'http://mydomain.com/admin/search.pl';
print $cgi->redirect($home) if autherized_user();
}


# if we reach this point, the default login page will be shown
print $session->header;
warningsToBrowser(1);
print $template->output;

exit;

# End of main body of script
# Subroutine definitions to follow below

pppebble88
11-14-2009, 03:47 PM
Thanks for all of the help thus far...I am doing my best to keep up and try to understand.

You mentioned that there are server-side and user-side cookies...Is the way I have it setup (code above) server-side or client side? In addition, what are the advantages/disadvantages to either?

In your script, FishMonger, I noticed that you determine what to do based on if they are logging in, etc. Why is that necessary? More clearly, if we take them to a login page, which redirects to this perl script, they are obviously not "logging out." Is this script called somewhere else?

Also, if I use the method I am currently using to store cookies (hopefully that is what it is doing) can I use javascript to pull the value of "role" out of the cookie and display page content accordingly?

Thanks a lot for all of the help!

oesxyl
11-14-2009, 04:44 PM
Thanks for all of the help thus far...I am doing my best to keep up and try to understand.

You mentioned that there are server-side and user-side cookies...Is the way I have it setup (code above) server-side or client side? In addition, what are the advantages/disadvantages to either?
web is stateless, you can't decide in what state you are if you don't preserve that information some way. FishMonger talk about storing the cookie( which reperesnt the state) on both parts, in the client browser and on your server. You can compare what you get from client with what you store on your computer and this way you can determine the state.
The explanation is a little general but this why is happend what is happend, :)


In your script, FishMonger, I noticed that you determine what to do based on if they are logging in, etc. Why is that necessary? More clearly, if we take them to a login page, which redirects to this perl script, they are obviously not "logging out." Is this script called somewhere else?
FishMonger will explain this better then I can do, :)


Also, if I use the method I am currently using to store cookies (hopefully that is what it is doing) can I use javascript to pull the value of "role" out of the cookie and display page content accordingly?

Thanks a lot for all of the help!
you fetch the cookie using perl and generate js code to pass the variable. It's not big deal but I don't understand why do you need that. After FishMonger answer your previous question I guess you will have no need of js for what you want to do with "role".

best regards

FishMonger
11-14-2009, 05:35 PM
Thanks for all of the help thus far...I am doing my best to keep up and try to understand.

You mentioned that there are server-side and user-side cookies...Is the way I have it setup (code above) server-side or client side? In addition, what are the advantages/disadvantages to either?
Your code is using client side cookies to maintain all state information.

My code is using server side sessions to maintain the state info. CGI::Session can also send a client side cookie to store the session id but no other state info is sent in the cookie, or you can pass the session id in the query string.

With server side sessions you control the storing and retrieving of session data. With client side cookies, the user has a fair amount of control over it. They can modify, delete or disable cookies. Server side sessions are more secure.



In your script, FishMonger, I noticed that you determine what to do based on if they are logging in, etc. Why is that necessary? More clearly, if we take them to a login page, which redirects to this perl script, they are obviously not "logging out." Is this script called somewhere else?
The example I gave was chosen to address the points in your opening question:


The idea is that when a person logs in, their "role" is retrieved from a mySQL database. That role is then stored in a session variable.

That's exactly what my code does; I just didn't show you my subroutines that query the database and assign that info to the session variables.

On each of my pages I have a logout button that calls this login script, and this script is configured in apache to be my index (home) page. So, if there is a "Logout" parameter passed, I then clear the session which forces the user to log back in if they want to continue.


Also, if I use the method I am currently using to store cookies (hopefully that is what it is doing) can I use javascript to pull the value of "role" out of the cookie and display page content accordingly?

I'm fairly sure you can, but you'll need to ask that question in the Javascript topic area.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum