Newbie question-- Perl pw authentication without pop-up prompt

[Mike O'Leary]

Hello, forgive me if this is the worng group to be asking this in, but I
hope you guys can help this relative newbie out. My boss is looking to
password protect certain areas of the server, but with the following
stipulation: The username and password must be entered in a form, and
not using the standard .htaccess pop-up window. He's specifically
looking for either of the following:

1) A perl script that utilizes the .htaccess protections of the
company's Apache server, but doesn't bring up the pop-up password box.

2) Something that completely foregoes .htaccess, but still provides
similar protection using a login page.

So far we've tried a program called Locked Area Lite, which is an
excellent program that did exactly what we needed except for one
problem: A change from Internet Explorer 5 to Internet Explorer 6 has
eliminated the method that Locked Area used to send the password via an
html page.

We also have a copy of the Cgi-Perl Cookbook, which has a script called
authenticate.cgi, but it never seemed to work.

I've checked through groups.google.com and have sifted through numerous
posts but none of which have given us a solution.

Also, in your opinion, is a perl/cgi based authentication setup secure.
I've seen a few newsgroup posts that hint it's not as effective as
..htaccess, but I'd be curious to know if it would be best not to use on
a company web server.

Thank you for your time. Any assistance is appreciated.

Mike O

 

[nobull]

Hello, forgive me if this is the worng group

This newsgroup does not exist. It is definitely the wrong group in
all cases. Even if it did exist it would probablty be wrong.

My boss is looking to
password protect certain areas of the server, but with the following
stipulation: The username and password must be entered in a form, and
not using the standard .htaccess pop-up window. He's specifically
looking for either of the following:

1) A perl script that utilizes the .htaccess protections of the
company's Apache server, but doesn't bring up the pop-up password box.

2) Something that completely foregoes .htaccess, but still provides
similar protection using a login page.

So far we've tried a program called Locked Area Lite, which is an
excellent program that did exactly what we needed except for one
problem: A change from Internet Explorer 5 to Internet Explorer 6 has
eliminated the method that Locked Area used to send the password via an
html page.

We also have a copy of the Cgi-Perl Cookbook, which has a script called
authenticate.cgi, but it never seemed to work.

CGI is the wrong tool is you want Apache to serve up regular static
content but want to hook in to the authentication phase. You probably
should use a cookie-based authentication module for Apache mod_perl
e.g. Apache::AuthCookie.

If you don't want to be cookie dependant there's also
Apache::AuthCookieURL but it strikes me that it would be better to
require cookies. After all this is precisely why cookies exist.

I've checked through groups.google.com and have sifted through numerous
posts but none of which have given us a solution.

Also, in your opinion, is a perl/cgi based authentication setup secure.
I've seen a few newsgroup posts that hint it's not as effective as
.htaccess,

That would depend on many factors. So long as access (other than web
access) to your web server is restricted to trusted persons then all
authentication schemes that involve transmitting a plain-text
equivalent password are as strong or as weak as the tranmission
channel.

 

[Mike O'Leary]

Thank you! You've been beyond helpful. We'll do some more research here
and hopefully this will all work out.

Mike O.