On 12/07/07, MJ Ray mjr@phonecoop.coop wrote:
sagr alug1@suffolk-ancestor-genealogy-research.co.uk wrote: [...]
common "Customer Area" webpage where our customers can type in their login name and password and then be automatically taken to a protected personal webpage listing the files waiting for them to download. [...]
+1 to the comment about using a framework, but if you want to do this directly, the CGI variable REMOTE_USER (so $ENV{'REMOTE_USER'} in Perl and $_SERVER['REMOTE_USER'] in PHP IIRC) contains the name that they used to login to your .htaccess protection.
But don't do it. Frameworks help reduce (but not eliminate) security flaws. If you're using Perl, use CGI.pm to interact with the browser. But again, this only helps reduce flaws. I'm sure similar things exist for other languages too; investigate, understand, and use them.
To be honest, if you're Internet facing you need to be /really/ good at what you're doing, and understand 100% the effects and impacts of introducing non-static content - otherwise you risk malicious defacement etc.
I've various intranet facing sites, and although they are not 100% security proof (I'm aware of a couple of area where I don't fully validate input), I am at least aware of this, and am happy with the risk I'm taking in a closed environment. I wouldn't dare take such risks on the internet proper.
Greg