Click Here!
home account info subscribe login search My ITKnowledge FAQ/help site map contact us


 
Brief Full
 Advanced
      Search
 Search Tips
To access the contents, click the chapter and section titles.

Perl CGl Programming: No experience required.
(Publisher: Sybex, Inc.)
Author(s): Erik Strom
ISBN: 0782121578
Publication Date: 11/01/97

Bookmark It

Search this book:
 
Previous Table of Contents Next


Moving Passwords to the Web

The last step in this section will be to actually password-protect a Web page.

Setting up the form for entering a password is not difficult because HTML forms have a password input type that displays only asterisks when something is typed into it. The HTML code that follows shows you how to do it:

   <HTML>
   <HEAD>

   <TITLE>Enter your password, please</TITLE>
   </HEAD>

   <BODY>
   <H1 ALIGN="CENTER">Enter your password, please</H1>
   <HR>
   <CENTER>
   <FORM ACTION="/cgi-bin/chkpwd.pl" METHOD="POST">
   <H3>Password:</H3>
   <INPUT TYPE="password" NAME="password" SIZE="12" MAXLENGTH="12">
   <BR>
   <BR>
   <INPUT TYPE="submit" VALUE="Enter">
   <INPUT TYPE="reset" VALUE="Clear">
   </FORM>
   </CENTER>
   </BODY>
   </HTML>

Save this code as password.html in your Web server’s root directory. Figure 13.10 shows what it will look like in your browser when you type something in the password field.


Figure 13.10:  An HTML password-entry form

There is one noteworthy instruction in password.html. Notice that we have chosen the POST method for the form. Why? Two reasons: First, you don’t want any visitor to be able to see the form’s action posted as a URL, as visitors could if the GET method were specified. Second, you don’t want any visitor to attempt to run the form’s CGI program—chkpwd.pl—as a URL. You’ll see how to guard against this possibility in the script for chkpwd.pl, which follows:

   #!/perl/bin/perl

   # chkpwd.pl
   # Verifies the password sent to it with what’s
   # in the password file.

   # Get header files.

       require "html.pm" || die "Can’t open Perl header files: $!\n";
       $PwdFileName = "password";       # Full path where needed.

   # Check the REQUEST_METHOD to ensure that it’s "POST".
   # Complain and exit if it’s not.

       if ($ENV{’REQUEST_METHOD’} ne "POST")
           {
           &HTML_Header ("Unauthorized entry!");
           print <<THE_END;
   <BODY>
   <H1 ALIGN="CENTER">Unauthorized entry attempt</H1>
   <H1 ALIGN="CENTER">Goodbye!</H1>
   </BODY>
   THE_END

           &HTML_Footer;
           exit (0);
           }

   # Method’s OK. Get the data and try to open the password file
   # and get the encrypted password.

       read (STDIN, $QueryString,   $ENV{’CONTENT_LENGTH’});
       ($dummy, $PwdString) = split (/=/, $QueryString);
       open (PWD, $PwdFileName) ||
           die "Can’t open $PwdFileName: $!\n";
       $EncryptedPwd = <PWD>;
       close (PWD);

   # Run everybody by crypt().

       if (crypt ($PwdString, $EncryptedPwd) eq $EncryptedPwd)
           {
           &HTML_Header ("Welcome");
           print <<END_GOOD_PWD;
   <BODY>
   <H1 ALIGN="CENTER">Welcome to the restricted Web page</H1>
   <HR>
   <H2 ALIGN="CENTER">Your password must have worked…</H2>
   </BODY>
   END_GOOD_PWD

           &HTML_Footer;
           }
       else       # This handles an incorrect password.
           {
           &HTML_Header ("Incorrect password");
           print <<END_BAD_PWD;
   <BODY>
   <H1 ALIGN="CENTER">Incorrect password!</H1>
   <HR>
   <H2 ALIGN="CENTER">Hit the "Back" button and try again</H2>
   </BODY>
   END_BAD_PWD

           &HTML_Footer;
           }
  #                    End chkpwd.pl

Install chkpwd.pl where your server expects to find CGI applications. Run it by entering passwords in the form created by password.html. A good password results in the display shown in Figure 13.11.


Figure 13.11:  A good password was entered.

And if a bad password is sent to chkpwd.pl, it draws the page shown in Figure 13.12.


Figure 13.12:  The script complains about an incorrect password.

Applying Passwords on Your Site

Now that you can protect a Web page with an encrypted password, what applications can you think of for the concept? You could set up portions of the Web site for selected visitors, of course. Or you could require that visitors get past a protected page before they enter your site at all.

One good application would be to use your Web server and browser as an interface for you to perform maintenance functions on your site. Site maintenance is important, but you’re the only one who should be performing it.

In the next section, you’ll explore the rudiments of site maintenance by building a system to edit entries out of your guest book from a password-protected Web page.

Maintaining a Secure Web Site

A Web installation requires care and feeding. The amount is pretty much up to you, but you’ll find very soon after building a Web site that you can’t just crank it up and walk away.

Maintaining adequate security on a site doesn’t have to be a matter of constant vigilance, though the more vigilance you apply, the fewer unwanted visitors will drop by. Keep an eye on your server’s logs, because they can tell you when and from where an untoward event might have occurred. You can even take the step with many servers of locking out access from specific IP addresses. This is drastic, because lots of visitors come from online services such as America Online and CompuServe, and you would be locking all of them out. But it is an option if you feel that your site is being compromised.

Most Web site maintenance doesn’t involve stringing up cybernetic barbed wire, however. The more features you have on your site, the more interaction you will have with visitors, which increases the amount of work for you. Visitors might be filling out polls or ordering products; any of this interaction will be stored on your site and you have to do something with it.

The Web server and browser give you a built-in graphical user interface that you can use—often with very little programming—to set up modules on the site for maintaining the aspects of your Web pages that need it. Again, the guest book module you built in Skill 7 provides a good place to start.


Previous Table of Contents Next


Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home

Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.