IGNORE: it seems to be working...
i have made extensive changes to dbman script. i'm using htaccess, thus server_auth, for password. but still checking permissions in regular pass files.
at one time i had it working so that it only created one session file per session. but now it's creating a session file each time a user takes an action, i.e. everytime db.cgi is called. i've uploaded db.cgi and auth.pl. below is excerpt of sub main. auth_check_password is where it gets $db_uid. i fixed db.cgi (i think) so that it doesn't delete $db_uid if $db_uid isn't passed in a link. but apparently the check_password sub in auth.pl isn't seeing $db_uid so it's writing a new session file every time.
edit: just checked and the session ID is in the links, so why doesn't db.cgi see it??
going crazy! please help. thanks
sub main {
# --------------------------------------------------------
my ($status, $uid);
local($per_add, $per_view, $per_mod, $per_del, $per_spec, $per_admin, $per_massmail, $per_export);
$|++; # Flush Output Right Away
&auth_cleanup unless ($auth_no_authentication); # Remove old session files.
($status, $uid, $per_view, $per_add, $per_del, $per_mod, $per_spec, $per_admin,$per_massmail, $per_export)
= &auth_check_password; # Authenticate User, get permissions and userid.
if ($status eq "okx") { # request to change password first time logging in 2015
$db_script_link_url = "$db_script_url?db=$db_setup&uid=$db_uid";
&html_change_password_form('Please change your password to something easy to remember but hard to guess!');
}
elsif ($status eq "ok") {
# Set the script link URL with db and user info for links. Use $db_script_url for forms.
$db_script_link_url = "$db_script_url?db=$db_setup&uid=$db_uid";
if ($uid eq "guest") { $db_userid = $uid; }
else { ($db_userid) = $db_uid =~ /([A-Za-z0-9]+)\.\d+/; }
# Main Menu. Check to see what the user requested, then, if he has permission for that
# request, do it. Otherwise send the user off to an unauthorized request page.
if ($in{'add_form'}) { if ($per_add) { &html_add_form; } else { &html_unauth; } }
elsif ($in{'add_record'}) { if ($per_add) { &add_record; } else { &html_unauth; } }
elsif ($in{'view_search'}) { if ($per_view) { &html_view_search; } else { &html_unauth; } }
elsif ($in{'view_records'}) { if ($per_view) { &view_records; } else { &html_unauth; } }
else {
&html_login_failure($status);
}
}
i have made extensive changes to dbman script. i'm using htaccess, thus server_auth, for password. but still checking permissions in regular pass files.
at one time i had it working so that it only created one session file per session. but now it's creating a session file each time a user takes an action, i.e. everytime db.cgi is called. i've uploaded db.cgi and auth.pl. below is excerpt of sub main. auth_check_password is where it gets $db_uid. i fixed db.cgi (i think) so that it doesn't delete $db_uid if $db_uid isn't passed in a link. but apparently the check_password sub in auth.pl isn't seeing $db_uid so it's writing a new session file every time.
edit: just checked and the session ID is in the links, so why doesn't db.cgi see it??
going crazy! please help. thanks
Code:
sub main {
# --------------------------------------------------------
my ($status, $uid);
local($per_add, $per_view, $per_mod, $per_del, $per_spec, $per_admin, $per_massmail, $per_export);
$|++; # Flush Output Right Away
&auth_cleanup unless ($auth_no_authentication); # Remove old session files.
($status, $uid, $per_view, $per_add, $per_del, $per_mod, $per_spec, $per_admin,$per_massmail, $per_export)
= &auth_check_password; # Authenticate User, get permissions and userid.
if ($status eq "okx") { # request to change password first time logging in 2015
$db_script_link_url = "$db_script_url?db=$db_setup&uid=$db_uid";
&html_change_password_form('Please change your password to something easy to remember but hard to guess!');
}
elsif ($status eq "ok") {
# Set the script link URL with db and user info for links. Use $db_script_url for forms.
$db_script_link_url = "$db_script_url?db=$db_setup&uid=$db_uid";
if ($uid eq "guest") { $db_userid = $uid; }
else { ($db_userid) = $db_uid =~ /([A-Za-z0-9]+)\.\d+/; }
# Main Menu. Check to see what the user requested, then, if he has permission for that
# request, do it. Otherwise send the user off to an unauthorized request page.
if ($in{'add_form'}) { if ($per_add) { &html_add_form; } else { &html_unauth; } }
elsif ($in{'add_record'}) { if ($per_add) { &add_record; } else { &html_unauth; } }
elsif ($in{'view_search'}) { if ($per_view) { &html_view_search; } else { &html_unauth; } }
elsif ($in{'view_records'}) { if ($per_view) { &view_records; } else { &html_unauth; } }
else {
&html_login_failure($status);
}
}
too many session files