Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts

    redirecting if not logged in.

    Hi,

    I am trying to put a snippet of code at the beginning of each of my scripts so that if the person is not logged in, they are redirected to the login page. The following code doesn't do it and I wonder if I need to look for a 'logged in' value in the session instead of just checking for a session.

    Code:
    #!/usr/bin/perl 
    
      use CGI;
      use CGI::Carp qw(fatalsToBrowser);
      use strict;
      use DBI;
      use Date::Manip;
      use CGI::Session;
    
      use lib '/var/www/vhosts/example.com/subdomains/cms/cgi-bin/client_control_panel/';
      use lib '/var/www/vhosts/example.com/subdomains/cms/cgi-bin/';
      use POSIX;
      use Date::Format;
      use Date::Calc qw(:all);
      use Data::Dumper;
    
      my $cgi = new CGI;
      my $session = CGI::Session->load or die CGI::Session->errstr;
    
    
      if (!$session || $session->is_empty || $session->is_expired) {
        print $cgi->redirect("http://example.com/cgi-bin/login.pl");
      }
    If I check for a session variable, can I be sure that the value can;t be inputted by someone maliciously?

    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • #2
    Super Moderator
    Join Date
    May 2005
    Location
    Southern tip of Silicon Valley
    Posts
    2,838
    Thanks
    2
    Thanked 160 Times in 155 Posts
    I wonder if I need to look for a 'logged in' value in the session instead of just checking for a session
    That depends somewhat on where and how you created the session in the first place. Did you create the session before the user was authenticated or after?

    If the session was created before authentication, then you need to explicitly check for the 'logged in' value.

    If I check for a session variable, can I be sure that the value can;t be inputted by someone maliciously?
    You can never be 100% sure, but as long as you're making the proper checks, it's a safe bet that you'll be ok.

  • #3
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    Thanks FishMonger.

    I am using a login script, which I think, I got from you. It then loads the other files into an iframe, once someone has logged in. (works perfectly as a login script)

    What I am trying to do now, is ensure that if someone were to try to load one of the 'other' files, without logging in, then they are to be sent to the login script.

    Currently, I check for a logged in value from the session and, if it isn't there, they mustn't have logged in so they are taken to the login script. The logged in value is like a 64 character password and it must match with a value in each script, otherwise they will be redirected to the login script.

    But that was a compromise, I think, because whilst it works superficially, is there not some chance that the logged in value could be guessed or even the session which contains the value, being hi-jacked by someone who did have login details and who then can by-pass the login feature?

    I was previously trying to check for the session's existance but, of course, the code as shown in my OP creates a session so one will always exist.

    Is there another, better way than checking the session for a specific value?

    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • #4
    Super Moderator
    Join Date
    May 2005
    Location
    Southern tip of Silicon Valley
    Posts
    2,838
    Thanks
    2
    Thanked 160 Times in 155 Posts
    When I first started working with sessions, I too loaded the other files in iframes. However, I very quickly discovered that users could and were loading the "iframe files" directly which bypassed the login requirement.

    I have dropped the iframes and now use HTML::Template and within some of those templates, I use
    Code:
    <TMPL_IF NAME="PARAMETER_NAME"> ... </TMPL_IF>
    and
    Code:
    <TMPL_INCLUDE NAME="filename.tmpl">
    to load additional templates.

  • #5
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    OK, I'll look into that. Thanks.

    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • #6
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    Oh-h-h-h, I is confused.

    Most of my scripts are perl generated. whats with the .tmpl files? Is there a way, where I can use

    Code:
    use HTML::Template;
    at the start of my perl scripts and, work with it in the same scripts? sourceforge seems not to have valid links in cpan.

    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • #7
    Super Moderator
    Join Date
    May 2005
    Location
    Southern tip of Silicon Valley
    Posts
    2,838
    Thanks
    2
    Thanked 160 Times in 155 Posts
    I'm not sure I fully understand your question.

    HTML::Template is used to have a separation between code logic and html. Have you read the documentation on cpan?

    http://search.cpan.org/~samtregar/HT....9/Template.pm

    http://search.cpan.org/~viy/HTML-Tem...ate/SYNTAX.pod

    http://search.cpan.org/~viy/HTML-Tem...lInterface.pod

    http://search.cpan.org/search?query=...plate&mode=all

  • #8
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    Thanks.

    Yep I read the page at your first link yesterday and it's gonna take a while to sink in.

    Does it mean that my web pages should all use the .tmpl extension instead of .htm, for example?

    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • #9
    Super Moderator
    Join Date
    May 2005
    Location
    Southern tip of Silicon Valley
    Posts
    2,838
    Thanks
    2
    Thanked 160 Times in 155 Posts
    Yes. All html content that you were generating in your Perl scripts would be factored out and put in .tmpl files.

    If you need, tomorrow I can post an example from one of my scripts.

  • #10
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    I am sure that would assist me greatly. Thanks for the offer.


    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • #11
    Super Moderator
    Join Date
    May 2005
    Location
    Southern tip of Silicon Valley
    Posts
    2,838
    Thanks
    2
    Thanked 160 Times in 155 Posts
    I sent you a PM regarding the files.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •