######################################################################### # PerlHelp Logon.pl ######################################################################### # 2001 Ameri-Guide, Inc. All Rights Reserved ######################################################################### # Authors: Bill Stephenson & Shawn McKinley # Date Created: 5/10/01 # Modified on: work in progress # Version: 0.02 # # Description: I wanted a simple, reusable, logon routine to use in # my cgi applications so I wrote this one. It obviously # does not provide very tight security, but it should # keep most unwanted users from accessing a cgi # application. # # Bug Reports: Please send bug reports and comments to: # info@PerlHelp.com # # Warnings: Use this script at you own risk. If you don't # know why THIS SCRIPT IS NOT VERY SECURE you # should take the time to learn more. (I am ;) # ######################################################################### # SubRoutines ######################################################################### #sub logOn #sub logOff #sub RemoveOldSessions #sub RemoveThisSession ######################################################################### # subroutine: logOn # ######################################################################### sub logOn { # initialize our variables my ($password); $password = $query->param('password'); if (!defined ($password)) {$password = "";} my ($user); $user = $query->param('username'); if (!defined ($user)) {$user = "";} # Check for a cookie my ($gota_cookie); $gota_cookie = $query->cookie('sessionID'); if (!defined ($gota_cookie)) {$gota_cookie = "no"; if ($gota_cookie eq "no") { # If there is no Cookie, check for password and username # If there is not a valid username and password, create # the logon form page if ($password ne "$mypassword" || $user ne "$username") { print $query->header; print $query->start_html("$title Logon Page"); print $query->startform; if ($password eq "" || $user eq "") { print "Enter Your User Info to Begin.

"; } else { print "Your Username or Password did not match.

Please Try Again

"; $query->param('password',"",-override=>1); $query->param('username',"",-override=>1); } print "UserName:
",$query->textfield(-name=>'username'),"

\n"; print "Password:
",$query->password_field(-name=>'password'),"

\n"; print $query->submit('action','Start'); print $query->endform; print $query->end_html; exit; } # end if param password is ne "" # If there is a valid username and password if ($query->param('password') eq "$mypassword") { # Make a random session number my $session_num = rand (1*1000); # create a session file with the name of the session number open(MYSESSIONFILE, "> $session_path/$session_num.dat") or die "Couldn't open $session_path/$session_num.dat for writing: $!\n"; close(MYSESSIONFILE); # create a new cookie my $cookie = $query->cookie(-name=>'sessionID', -value=>"$session_num", -expires=>"$session_length", -path=>"$valid_path", -domain=>"$domain_name", -secure=>1); # Set the Cookie print $query->header(-cookie=>$cookie); # This is where we go on to the main app after the user # has logged on } # end if param password eq "$mypassword" } # end if $gota_cookie eq no } # end if !defined $gota_cookie # If we got through the above, the user must already # have a cookie. elsif ($gota_cookie ne "no") { # We need to do some clean up to the sessions directory # before we check to see if the session file exist so # we use the RemoveOldSessions sub routine. &RemoveOldSessions; # Check to see if there is a valid Session file. if (-e "$session_path/$gota_cookie.dat") { unless ($gota_cookie =~ m#^([\w.-]+)$#) { # $1 is untainted die "filename '$gota_cookie' has invalid characters.\n"; } $gota_cookie = $1; # if there is a valid session file we update the cookie # and session file with the previously assigned session number open(NEWSESSION, "> $session_path/$gota_cookie.dat") or die "Couldn't open $session_path/$gota_cookie.dat for writing: $!\n"; close(NEWSESSION); my $cookie = $query->cookie(-name=>'sessionID', -value=>"$gota_cookie", -expires=>"$session_length", -path=>"$valid_path", -domain=>"$domain_name", -secure=>1); print $query->header(-cookie=>$cookie); # This is where we go on to the main app after we update # the Cookie and Session File } # end if file exist # If there is NOT a valid session file we send the # user a page that complains about it and exit the app else { print $query->header; print $query->start_html("$title Logon Page"); print "You Shouldn't really be here. Try again later"; print $query->end_html; exit; } # end else } # end if gota_cookie is ne "" } # end logOn sub routine ######################################################################### # subroutine: RemoveOldSessions # Usage: # &RemoveOldSessions; # # This routine removes old session files based on the # age determined by the defined variables. # # It was taken from Selena Sol's book "Instant Web Scripts" # and highly modified for my needs ######################################################################### sub RemoveOldSessions { my(@files, $file); # Open up the session directory. opendir(SESSIONDIR, "$session_path") or die "Couldn't open $session_path Directory: $!\n"; # read all entries except "." and ".." @files = grep(!/^\.\.?$/,readdir(SESSIONDIR)); closedir(SESSIONDIR); # Go through each file foreach $file (@files) { # If it is older than session_length, delete it if (-M "$session_path/$file" > $saved_sessions) { # We need to filter the @files through a regex here in order to pass # Taint. I got this one from the CGI CookBook. unless ($file =~ m/^(\d+\.\d+\.dat)$/) { # $1 is untainted die "filename '$file' has invalid characters.\n"; } $file = $1; unlink("$session_path/$file"); } } } # End of RemoveOldSessions ######################################################################### # subroutine: logOff # Usage: # &logOff; # # This is a hack that needs to be reviewed ######################################################################### sub logOff { my ($gota_cookie); $gota_cookie = $query->cookie('sessionID'); if (!defined ($gota_cookie)) { print $query->header; } else { unless ($gota_cookie =~ m/^(\d+\.\d+)$/) { # $1 is untainted die "filename '$gota_cookie' has invalid characters.\n"; } $gota_cookie = $1; # delete the session file unlink("$session_path/$gota_cookie.dat"); #expire the cookie my $cookie = $query->cookie(-name=>'sessionID', -value=>"$gota_cookie", -expires=>"-1", -path=>"$valid_path", -domain=>"$domain_name"); print $query->header(-cookie=>$cookie); } # End of RemoveThisSession } 1; ######################################################################### # That's All Folks!! #########################################################################