View Full Version : redirecting if not logged in.

01-17-2010, 03:39 AM

I am trying to put a snippet of code at the beginning of each of my scripts so that if the person is not logged in, they are redirected to the login page. The following code doesn't do it and I wonder if I need to look for a 'logged in' value in the session instead of just checking for a session.


use CGI;
use CGI::Carp qw(fatalsToBrowser);
use strict;
use DBI;
use Date::Manip;
use CGI::Session;

use lib '/var/www/vhosts/example.com/subdomains/cms/cgi-bin/client_control_panel/';
use lib '/var/www/vhosts/example.com/subdomains/cms/cgi-bin/';
use POSIX;
use Date::Format;
use Date::Calc qw(:all);
use Data::Dumper;

my $cgi = new CGI;
my $session = CGI::Session->load or die CGI::Session->errstr;

if (!$session || $session->is_empty || $session->is_expired) {
print $cgi->redirect("http://example.com/cgi-bin/login.pl");

If I check for a session variable, can I be sure that the value can;t be inputted by someone maliciously?


01-17-2010, 05:32 PM
I wonder if I need to look for a 'logged in' value in the session instead of just checking for a session
That depends somewhat on where and how you created the session in the first place. Did you create the session before the user was authenticated or after?

If the session was created before authentication, then you need to explicitly check for the 'logged in' value.

If I check for a session variable, can I be sure that the value can;t be inputted by someone maliciously?
You can never be 100% sure, but as long as you're making the proper checks, it's a safe bet that you'll be ok.

01-17-2010, 08:03 PM
Thanks FishMonger.

I am using a login script, which I think, I got from you. It then loads the other files into an iframe, once someone has logged in. (works perfectly as a login script)

What I am trying to do now, is ensure that if someone were to try to load one of the 'other' files, without logging in, then they are to be sent to the login script.

Currently, I check for a logged in value from the session and, if it isn't there, they mustn't have logged in so they are taken to the login script. The logged in value is like a 64 character password and it must match with a value in each script, otherwise they will be redirected to the login script.

But that was a compromise, I think, because whilst it works superficially, is there not some chance that the logged in value could be guessed or even the session which contains the value, being hi-jacked by someone who did have login details and who then can by-pass the login feature?

I was previously trying to check for the session's existance but, of course, the code as shown in my OP creates a session so one will always exist.

Is there another, better way than checking the session for a specific value?


01-17-2010, 10:22 PM
When I first started working with sessions, I too loaded the other files in iframes. However, I very quickly discovered that users could and were loading the "iframe files" directly which bypassed the login requirement.

I have dropped the iframes and now use HTML::Template and within some of those templates, I use
<TMPL_INCLUDE NAME="filename.tmpl"> to load additional templates.

01-18-2010, 12:17 AM
OK, I'll look into that. Thanks.


01-18-2010, 01:44 AM
Oh-h-h-h, I is confused.

Most of my scripts are perl generated. whats with the .tmpl files? Is there a way, where I can use

use HTML::Template;

at the start of my perl scripts and, work with it in the same scripts? sourceforge seems not to have valid links in cpan.


01-19-2010, 01:48 AM
I'm not sure I fully understand your question.

HTML::Template is used to have a separation between code logic and html. Have you read the documentation on cpan?





01-19-2010, 02:19 AM

Yep I read the page at your first link yesterday and it's gonna take a while to sink in.

Does it mean that my web pages should all use the .tmpl extension instead of .htm, for example?


01-19-2010, 02:29 AM
Yes. All html content that you were generating in your Perl scripts would be factored out and put in .tmpl files.

If you need, tomorrow I can post an example from one of my scripts.

01-19-2010, 02:41 AM
I am sure that would assist me greatly. Thanks for the offer.


01-19-2010, 04:07 PM
I sent you a PM regarding the files.