i've been using a sort of htaccess to login to dbman and just noticed that it seems to go thru the auth_check_password routine every time i do anything. i discovered it by looking at logfile which contained a zillion logins and the auth directory had a zillion session files. here is the section of auth.pl i customized. can anyone see what's wrong? thanks.
sub auth_check_password {
# --------------------------------------------------------
# This routine checks to see if the password and userid found
# in %in (must be 'pw' and 'userid') match a valid password and
# userid in the password file.
# It returns a status message and a userid which is built by a
# "user name" + "random number"
# which get's stored in the query string.
my ($pass, @passwd, $userid, $pw, @permissions, $file, $uid, $junk, $pers, @perwd, $xuserid, $xpw,);
my ($server_auth) = $ENV{'REMOTE_USER'} || $ENV{'AUTH_USER'};
######
if ($server_auth eq 'kaz') {
$server_auth = '';
}
########
if ($auth_no_authentication || (($db_uid eq 'default') && $auth_allow_default)) {
return ('ok', 'default', @auth_default_permissions);
}
elsif ($server_auth) { # The user has logged in via server authentication.
##########
srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number
$db_uid = "$server_auth." . time() . (int(rand(100000)) + 1);# Build User Id
open(AUTH, ">$auth_dir/$db_uid") or &cgierr("unable to open auth file: $auth_dir/$uid. Reason: $!\n");
print AUTH "$uid: $ENV{'REMOTE_HOST'}\n";
close AUTH;
&auth_logging('logged on', $server_auth) if ($auth_logging);
#########
return ('ok', $server_auth, &auth_check_permissions($server_auth));
}
elsif ($in{'login'}) { # The user is trying to login.
open (PASSWD, "<$auth_pw_file") || &cgierr("unable to open password file. Reason: $!\n");
my @passwds = <PASSWD>; # Let's get the user id and passwords..
close PASSWD;
PASS: foreach $pass (@passwds) { # Go through each pass and see if we match..
next PASS if ($pass =~ /^$/); # Skip blank lines.
next PASS if ($pass =~ /^#/); # Skip Comment lines.
chomp ($pass);
my ($view, $add, $mod, $del, $spec, $admin, $mail);
($userid, $pw, $view, $add, $mod, $del, $spec, $admin) = split (/:/, $pass);
if ((lc($in{'userid'}) eq lc($userid)) && (crypt($in{'pw'}, $pw) eq $pw)) {
srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number
$db_uid = "$userid." . time() . (int(rand(100000)) + 1);# Build User Id
open(AUTH, ">$auth_dir/$db_uid") or &cgierr("unable to open auth file: $auth_dir/$uid. Reason: $!\n");
print AUTH "$db_uid: $ENV{'REMOTE_HOST'}\n";
close AUTH;
####
&auth_logging('logged on', $userid) if ($auth_logging);
return ('ok', $db_uid, &auth_check_permissions($db_uid))
################
# }
}
}
return ("invalid username/password");
}
elsif ($db_uid) { # The user already has a user id given by the program.
(-e "$auth_dir/$db_uid") ?
return ('ok', $db_uid, &auth_check_permissions($db_uid)) :
return ('invalid/expired user session');
}
else { # User has not logged on yet.
return 'no login';
}
}
sub auth_check_password {
# --------------------------------------------------------
# This routine checks to see if the password and userid found
# in %in (must be 'pw' and 'userid') match a valid password and
# userid in the password file.
# It returns a status message and a userid which is built by a
# "user name" + "random number"
# which get's stored in the query string.
my ($pass, @passwd, $userid, $pw, @permissions, $file, $uid, $junk, $pers, @perwd, $xuserid, $xpw,);
my ($server_auth) = $ENV{'REMOTE_USER'} || $ENV{'AUTH_USER'};
######
if ($server_auth eq 'kaz') {
$server_auth = '';
}
########
if ($auth_no_authentication || (($db_uid eq 'default') && $auth_allow_default)) {
return ('ok', 'default', @auth_default_permissions);
}
elsif ($server_auth) { # The user has logged in via server authentication.
##########
srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number
$db_uid = "$server_auth." . time() . (int(rand(100000)) + 1);# Build User Id
open(AUTH, ">$auth_dir/$db_uid") or &cgierr("unable to open auth file: $auth_dir/$uid. Reason: $!\n");
print AUTH "$uid: $ENV{'REMOTE_HOST'}\n";
close AUTH;
&auth_logging('logged on', $server_auth) if ($auth_logging);
#########
return ('ok', $server_auth, &auth_check_permissions($server_auth));
}
elsif ($in{'login'}) { # The user is trying to login.
open (PASSWD, "<$auth_pw_file") || &cgierr("unable to open password file. Reason: $!\n");
my @passwds = <PASSWD>; # Let's get the user id and passwords..
close PASSWD;
PASS: foreach $pass (@passwds) { # Go through each pass and see if we match..
next PASS if ($pass =~ /^$/); # Skip blank lines.
next PASS if ($pass =~ /^#/); # Skip Comment lines.
chomp ($pass);
my ($view, $add, $mod, $del, $spec, $admin, $mail);
($userid, $pw, $view, $add, $mod, $del, $spec, $admin) = split (/:/, $pass);
if ((lc($in{'userid'}) eq lc($userid)) && (crypt($in{'pw'}, $pw) eq $pw)) {
srand( time() ^ ($$ + ($$ << 15)) ); # Seed Random Number
$db_uid = "$userid." . time() . (int(rand(100000)) + 1);# Build User Id
open(AUTH, ">$auth_dir/$db_uid") or &cgierr("unable to open auth file: $auth_dir/$uid. Reason: $!\n");
print AUTH "$db_uid: $ENV{'REMOTE_HOST'}\n";
close AUTH;
####
&auth_logging('logged on', $userid) if ($auth_logging);
return ('ok', $db_uid, &auth_check_permissions($db_uid))
################
# }
}
}
return ("invalid username/password");
}
elsif ($db_uid) { # The user already has a user id given by the program.
(-e "$auth_dir/$db_uid") ?
return ('ok', $db_uid, &auth_check_permissions($db_uid)) :
return ('invalid/expired user session');
}
else { # User has not logged on yet.
return 'no login';
}
}