[ALUG] Creating Customer Login facility on a website

[Greg Thomas]

On 12/07/07, MJ Ray <mjr at phonecoop.coop> wrote:
> sagr <alug1 at suffolk-ancestor-genealogy-research.co.uk> wrote: [...]
> > common "Customer Area" webpage where our customers can type in their login
> > name and password and then be automatically taken to a protected personal
> > webpage listing the files waiting for them to download.  [...]
>
> +1 to the comment about using a framework, but if you want to do this
> directly, the CGI variable REMOTE_USER (so $ENV{'REMOTE_USER'} in Perl
> and $_SERVER['REMOTE_USER'] in PHP IIRC) contains the name that they
> used to login to your .htaccess protection.

But don't do it. Frameworks help reduce (but not eliminate) security
flaws. If you're using Perl, use CGI.pm to interact with the browser.
But again, this only helps reduce flaws. I'm sure similar things exist
for other languages too; investigate, understand, and use them.

To be honest, if you're Internet facing you need to be /really/ good
at what you're doing, and understand 100% the effects and impacts of
introducing non-static content - otherwise you risk malicious
defacement etc.

I've various intranet facing sites, and although they are not 100%
security proof (I'm aware of a couple of area where I don't fully
validate input), I am at least aware of this, and am happy with the
risk I'm taking in a closed environment. I wouldn't dare take such
risks on the internet proper.

Greg