A Problem on CGI

alan_j at supvax.sls.co.uk alan_j at supvax.sls.co.uk
Mon Jan 22 09:05:09 EST 1996


<<...we want users to input their names and
passwords in order to build their own profiles and go to their sessions
respectively. However, We have problem of the password we have to trace
along when the user is using our system as CGI are said to be "stateless"
therefore we have difficulty passing information from one session to
another and at the sametime to track whether he is the same user.>>

The http standard RFC931 (user authentication) has an answer to this problem. 
For compliant servers, a 'protected script', when accessed, sends back 
"error 401" that causes the client browser to display a username/password 
overlay box. The information entered is verified (eg on NT boxes against the 
'register') and stored on the server for you as environment variables 
remote_user and remote_ident. A unique file name may be constructed from the 
user's id plus an access code (eg based on time or a random number). This is
used to store the user's personal data for the session on the server. The access
code is sent backwards and forwards to the client as hidden form data. Every
time the user executes a protected script it constructs the file name using the
env. var. and the code - hey presto, statelessness is overcome. 

NB This is not 'secure'. If you need better security you must use Netscape's
Secure Sockets Layer or NCSA htpasswd scheme, both of which are proprietary.

Alan Jackson
http://www.datatext.co.uk/ti/


More information about the Web4lib mailing list