Need to create password protected area

[Beth]

Hi

I am new to the CGI/database stuff and was wondering if this was a difficult thing to do, and if not, how do I do it. I need to create a password protected area using the last name of the perspective member and their membership number as the password. We would like the ability to just be able to upload the membership database when new members sign on.

They dont want the ability to change the passwords now...but I dont think this is a good idea. For one thing the membership numbers start at number 1 (how secure a password is that [img]/infopop/emoticons/icon_redface.gif[/img]). And for another, I think people should have the ability to change the password into something that is easy to remember. They want to track the member as far as allowing access etc by their membership number...but I think that the membership number can still be involved in a hidden manner. So I dont know if I should have this functionality to now, or just change the CGI latter if and when they want the ability to change passwords.

Thanks for your time,
Beth

[Beth]

Hi

I am new to the CGI/database stuff and was wondering if this was a difficult thing to do, and if not, how do I do it. I need to create a password protected area using the last name of the perspective member and their membership number as the password. We would like the ability to just be able to upload the membership database when new members sign on.

They dont want the ability to change the passwords now...but I dont think this is a good idea. For one thing the membership numbers start at number 1 (how secure a password is that [img]/infopop/emoticons/icon_redface.gif[/img]). And for another, I think people should have the ability to change the password into something that is easy to remember. They want to track the member as far as allowing access etc by their membership number...but I think that the membership number can still be involved in a hidden manner. So I dont know if I should have this functionality to now, or just change the CGI latter if and when they want the ability to change passwords.

Thanks for your time,
Beth

[BobInce]

Hi Beth,</p>

What's your server? And how deep do you want to get into this? [img]/infopop/emoticons/icon_wink.gif[/img] I'm a control freak so I do everything myself in CGI with databases. The advantage is total customisation: you can build joint-authentication schemes involving cookies or forms as well and Basic Authentication, you can do your own interactive login boxes and things... but there are problems. Alternatives: </p>

Static password protection is easy is Apache - just use .htaccess/.htpasswd as detailed in Apacheweek, and overwrite the passwords file when the membership database is updated. In MS IIS, things aren't so easy because the in-built authentication options validate against the Windows userbase, not one you provide yourself. I believe you can get add-ons to allow IIS to behave more sensibly though. </p>

This isn't so suitable if the user can change the password, though - that's where the databases come in. (You can of course also store more extended user profile information in a database.) Apache has options like mod_auth_mysql to let you authenticate from a database instead of a .htpasswd file, and your scripts can write to the database to change the password. </p>

If you're not already into CGI and databases, you might opt for an easier road in like ASP or PHP. They'll have their own authentication functions, at the cost of direct access to the HTTP headers you want. Personally I had trouble getting authentication to work in ASP, and if you're using the CGI version of PHP under Apache you'll have the same problems as standard CGI (speaking of which...). </p>

You want to be confident in your database and the HTTP headers involved in Authentication before you venture into do-it-yourself land. Because there are additional server problems to get in your way. </p>

In IIS, the default settings are to intercept authentication headers and check them against Windows users. To avoid this, go to 'Site properties/Directory Security/Authentication Methods' and turn off everything but 'anonymous access'. Secondly, if your script sends back the '401 Authorisation required' response, IIS will intercept it and send back a custom error page that doesn't actually work. Stop it doing this by turning off custom errors for 401, again from the site properties box. </p>

Apache doesn't interfere with the 401 response, but it does sit in the way and prevent your CGI script reading the supplied password. This is actually a security feature which you can only turn off at compile-time with an undocumented switch (called SECURITY_HOLE or something), and is annoying. If you use mod_perl you can get the authorisation info anyway, and if you use PyApache (my favourite) it's not actually a security hole if you turn on the switch. Also it's possible to hack mod_rewrite into passing the Authorization: header to scripts in an environment variable, but this won't work for HTTPS servers and can indeed be a security hole on a multi-user system. </p>

I hate web servers that think they're cleverer than they really are... </p>

Let me know what approach you take, and how it goes. </p>

[Beth]

Thanks Andrew

I kinda of figured this would not be a real easy thing to learn. alot of techie stuff that I am not too familiar with (yet).

I believe the servers are pretty sound. It is a big internet provider in Vancouver Canada (netnation), and they have both UNIX and NT servers. I believe I am on the UNIX one. The speed and reliablity is great...I have no complaints with them at all.

I will print your response, plus some of the info from apache. My kind of bedtime reading.

I also have to do a fairly large research database for the same site too. This has to be fully searchable and be able to organize a moderate amount of information (periodical name, date, topic, keywords, the actual article, author etc). Not sure if I want to attempt this myself though. I already have too many hats on my head as it is [img]/infopop/emoticons/icon_wink.gif[/img]

thanks for your detailed answer. It is much appreciated.

Beth