I am trying to use server authentication of users with an Apache web server running under Unix. Basically, I can type in my username and password and when accepted, the dbman script returns the main menu. However, when you try to submit the form in the add record section, it jumps back to the main (dbman) logon screen, requiring the user to enter their password again, losing the data. Should this be happening, and if not, how do I fix it?
I noticed something similar. When I go to db.cgi, which is in a protected directory, the user goes directly to the add form as if he or she had logged in via dbman. One can't actually add, though until one has passed through the dbman login. So it appears as if the server directory authentication is mistaken by dbman as a login. The appropriate permissions are not granted, though, so one is re-routed to the log-in page after attempting to do anything.
The problem is that the structure of the .pass file is totally different than the .htpasswd file. It would be highly problematic to re-write the .htaccess process to allow the extra fields that are in the .pass file in DBMAN.
Regards,
------------------
Eliot Lee
Founder and Editor
Anthro TECH, L.L.C
http://www.anthrotech.com/
info@anthrotech.com
==========================
Coconino Community College
http://www.coco.cc.az.us/
Web Technology
Coordinator
elee@coco.cc.az.us
Regards,
------------------
Eliot Lee
Founder and Editor
Anthro TECH, L.L.C
http://www.anthrotech.com/
info@anthrotech.com
==========================
Coconino Community College
http://www.coco.cc.az.us/
Web Technology
Coordinator
elee@coco.cc.az.us
Oct 5, 1999, 9:55 AM
New User (4 posts)
Oct 5, 1999, 9:55 AM
Post #5 of 9
Views: 2309
I did some experimentation with this, and managed to make it work by adding some lines into the auth.pl script. Basically, when using web server authentication, the lock file is not created and other variables are not initialised. Adding the following lines in seems to sort out the problem:
After the line
elsif ($server_auth) { # The user has logged in via server authentication.
Add the following:
$userid = $ENV{'REMOTE_USER'} | | $ENV{'AUTH_USER'};
$uid = $ENV{'REMOTE_USER'} | | $ENV{'AUTH_USER'};
srand( time() ^ ($$ + ($$ << 15)) );
$db_uid = "$userid." . time() . (int(rand(100000)) + 1);
open(AUTH, ">$auth_dir/$db_uid") or &cgierr("unable to open auth file: $auth_dir/$uid. Reason: $!\n");
print AUTH "$uid: $ENV{'REMOTE_HOST'}\n";
close AUTH;
foreach (0 .. 3) { $permissions[$_] = int($permissions[$_]); }
&auth_logging('logged on', $userid) if ($auth_logging);
The only slight problem with this is that ypu are required to maintain two password files: the dbman one and the web server one. However, it should be possible to modify the script to maintain these automatically...
After the line
elsif ($server_auth) { # The user has logged in via server authentication.
Add the following:
$userid = $ENV{'REMOTE_USER'} | | $ENV{'AUTH_USER'};
$uid = $ENV{'REMOTE_USER'} | | $ENV{'AUTH_USER'};
srand( time() ^ ($$ + ($$ << 15)) );
$db_uid = "$userid." . time() . (int(rand(100000)) + 1);
open(AUTH, ">$auth_dir/$db_uid") or &cgierr("unable to open auth file: $auth_dir/$uid. Reason: $!\n");
print AUTH "$uid: $ENV{'REMOTE_HOST'}\n";
close AUTH;
foreach (0 .. 3) { $permissions[$_] = int($permissions[$_]); }
&auth_logging('logged on', $userid) if ($auth_logging);
The only slight problem with this is that ypu are required to maintain two password files: the dbman one and the web server one. However, it should be possible to modify the script to maintain these automatically...
Some suggestions:
1) Store all your sensitive files (.pass, .db, etc.) in a password directory outside of the main DBMAN directory.
I do this on all my DBMAN sites.
2) Take out the authorisation option, and use another cgi script to add users to the .htpasswd file. Some scripts are located at cgi-resources.com.
Regards,
------------------
Eliot Lee
Anthro TECH,L.L.C
www.anthrotech.com
* Be sure to visit the Resource Center for FAQ's, Modifications and Extra Goodies!!
* Search Forums!
* Say NO to Duplicate Threads. :)
----------------------
1) Store all your sensitive files (.pass, .db, etc.) in a password directory outside of the main DBMAN directory.
I do this on all my DBMAN sites.
2) Take out the authorisation option, and use another cgi script to add users to the .htpasswd file. Some scripts are located at cgi-resources.com.
Regards,
------------------
Eliot Lee
Anthro TECH,L.L.C
www.anthrotech.com
* Be sure to visit the Resource Center for FAQ's, Modifications and Extra Goodies!!
* Search Forums!
* Say NO to Duplicate Threads. :)
----------------------