A client has requested some work that lies outside the current reach of my feeble melon, and I need some help pretty badly.
I've had no problems creating password protected directories on Apache server using .htaccess, but now these twists have been thrown in: 1) Must be able to track authentications by user. 2) Requested one (or a few) user/pass that is always valid (OK, easy) and the ability add new users that automatically deactivate after a few days (GULP!). The number of users could reach a few hundred.
#1 is a must, #2 would be nice. I've done a lot of looking, but found nothing. Ideally, if there is a logfile analyzer that can tent to #1, that would be awesome. None I've looked at offer this function. The simpler the solution, the better. Any suggestions?
Many thanks in advance....FTC
Sorry this reply has taken so long. #1 at first glance seemed easy, but as you say there's little info to be found. I think some sort of custom logging solution would be necessary - hopefully this page [modperl.com] will spark off a few ideas - the code looks like it could be modified to log both successful and unsuccessful requests.
As for #2 - 'gulp' is right! I'm afraid I have little experience in this area. Can anyone step up with a solution?
I'm not aware of anything out there that has this level of control. So I'd make something, this is the way I would tackle the problem.
It will require some programming - perl would be my choice. Using the DBI module you could interface to a DB.
The basic auth table would be user, password, expires. If expires is null then its one of the permanents. I would then have an admin form that would allow my client to add new users and optionally set the to expire in a few days.
As for the actual logging in from the user you could use the module suggested by Sugarkane and link in totally with Apache authentication - or write a completely cgi application based security.
The downside of the cgi app is its reliance on cookies and that all pages would have to be linked in with the security part of the app, the plus side is that you have more control - custom error pages, logging in for as long as you want - even on browser restarts, pretty forms :)
So assuming you set a cookie on log in, each page requested would do this before producing any other content.
Check for cookie.
If cookie found
- validate that the cookie is genuine and that the user should still have access.
- show content - "eg `cat page.html`"
If not found - or cookie invalid - redirect user to either log in, registration or your access has expired - pay $20 to be allowed back in.
Finally if your content is particularly sensitive or valuable - make the cookie only a key for server held values. A 'md5' combination of unique info should be fine - eg md5("username password time") - then have a lookup table between key and user. By checking the time now with expires on your user table you can grant or deny access.
Modifying the key would be fairly pointless as the chances of hitting someone elses key would be tiny. You'd spot a brute force attack way before they got in.
OK - so this is where someone comes along with a really simple solution ;)
Good luck.
