NAME
CGI::AuthenticationFramework - A CGI authentication framework that utilizes mySQL for the user and session management
VERSION
Version 0.09
SYNOPSIS
Allows the login authentication, registration of user accounts, and password reset of webbased users.
Sample CGI script :-
#!/usr/bin/perl
use strict;
use CGI::AuthenticationFramework;
use DBI;
use CGI;
my $cgi = new CGI;
# == connect to the database
my $dbh = DBI->connect("DBI:mysql:database=DATABASE;host=SERVERNAME",'username','password') || die $DBI::errstr;
# == create the authentication link
my $sec = CGI::AuthenticationFramework->new({
dbh => $dbh,
cgi => $cgi
});
# == create the tables
$sec->setup_database(); # run this only once for performance.. No damage to keep it there
# == do we go through, or block access.. This is where the rubber meets the road
$sec->secure();
# == once we get through that, we can send our headers
print $sec->header();
# == We can call some additional functions
print "<a href=\"javascript:void();\" onclick=\"javascript:securefunction('logout');\">Logout</a>\n";
print "<a href=\"javascript:void();\" onclick=\"javascript:securefunction('password');\">Change password</a>\n";
if($sec->is_admin)
{
print "<a href=\"javascript:void();\" onclick=\"javascript:securefunction('admin');\">Admin</a>\n";
}
print "<p>\n";
print "This is the secret message.<br>\n";
print "Email Address is $sec->{username}<br>\n";
print "Session ID is $sec->{session}<br>\n";
print "</p>";
print "<a href=\"#\">Me again</a>\n";
# == when we're done, we call the finish function. This clears the data connection, and prints the footer code
$sec->finish();FUNCTIONS
new
Creates a new authentication connection
my $sec = CGI::AuthenticationFramework->new({
dbh => $dbh,
cgi => $cgi
});Options
dbh
Defined the database handle to use
cgi
Defines the CGI handle to use
cookie
The name of the cookie (default is 'my_cookie')
header
Default header code to include
footer
Default footer code to include
yubikey
To enable yubikey support, set to 1.
When you enable yubikey support, you have to set the yubi_id and yubi_api fields as well. To get these, you need to sign up at https://upgrade.yubico.com/getapikey/
timeout
Defines the timeout before a user has to log on again. Default is 600 seconds.
register
If you need users to register on their own, set the register option to 1. Default is 0
register_template & forgot_template
Optional template that will be used to send the registration email.
use %URL% to define the URL that will be clicked by the user. Use %BASE% for the base URL of the program
register_subject & forgot_subject
Optional subject that will be used
register_from & forgot_from
Optional from email address to use
forgot
If you need users to have the ability to reset their passwords by emailing a new one to them, set this option to 1. Default is 0. =head4 SMTP server settings
If you have register enabled, you need to specify SMTP settings
smtpserver
The hostname of the SMTP server
smtpuser , smtppass
The smtpuser and smtppass parameters are optional. If your SMTP server requires you to authenticate, set these two fields.
captcha
Defined if you want to use a captcha. Default is 0.
Sign up for a free API from https://www.google.com/recaptcha/admin/create and enter the values in captcha_public and captcha_private
secure
The main gatekeeper.. Checks if the session is valid. If not, pass control to the login screen. If the session is still valid, the timeout is reset, and control is returned to the main program.
header
Works identical to CGI::header. The only difference is the adding of a cookie to the header, and passing the header value if defined from the new function.
finish
Function to send the footer, and sign everything off. Call this function last (or if you want to terminate the program
form
Generates an HTML form based on a schema
form (schema,submit text,hidden func field,title for the header,captcha option,%VALUES)
Schema format (field name, description, type, validation, sql)
fieldname
The field name that will be used in SQL and param calls
description
The field name that will be displayed
type
The type of the field, ie text, textarea, dropdown, or password
size
Defines the size of the field.
validation
Defines the input data check that will be performed to ensure the input validation is passed. Options can be email, password, number or text.
sql
Defines the SQL query to execute that will populate a dropdown list, should you use a dropdown.
form_update
Updates the data in the table
input : schema, table name
form_edit
Shows the edit form after an id was passed to it
input : schema, table, title, button text, func field
form_delete
Deletes the entry from the table
form_insert
Takes the input from a form, and inserts it into a database
Input : schema, table, default values (for readonly fields)
form_list
Show the result of a SQL table
form_create_table
Create a mySQL table based on a schema definition
input : schema, table name
set_variable
Defines a session variable
input : parameter, value
get_variable
Retrieves a session variable
input : parameter
Output : value
setup_database
Call this module once to setup the database tables. Running it multiple times will only introduce excessive load on the DB, but won't delete any tables.
It will create the tables tbl_users, tbl_session, and tbl_logs.
It will also create the default user 'admin', with it's password 'password'. Remember to change this password on your first logon.
funclink
Instead of using <a href links, call this function instead. It will embed a proper javascript substitute to ensure no GET urls are posted
input : text, func
is_admin
Will advise if the user is an administrator
AUTHOR
Phil Massyn, <phil at massyn.net>
TODO
Bugs
New features * Form list -- allow "next page" if it returns more than ie 30 items on a page * Searching of tables * Authorization module (ie group membership)
Enhancements * Ability to record additional fields during registration * Form list -- add custom fields (ie add actions like Edit & Delete to it) * Change form_* functions to use hashes as inputs, not seperate fields * Change dropdown & select to use native CGI parameters
REVISION 0.09 Customize register & forget emails Added msg_* to allow customization of feedback messages Added admin module Added funclink to manage hyperlinks through javascript better Delete accounts not validated within 24 hours as part of housekeeping Clean up of logs older than 30 days in housekeeping Change javascript calls to use native cgi->a calls Added a home link to the error messages Add timestamp, IP and user agent of machines used to create account and validate account for legal requirements - This requires a schema update. If you had a version prior to 0.09, your database will need to be updated.
0.08 Change order of form_list by clicking headers Create tbl_session_vars table Added session variables through get_variable and set_variable Added housekeeping to remove orphaned table entries Fixed dropdown bug not selecting the right value - This requires a schema update. If you had a version prior to 0.08, your database will need to be updated.
0.07 Fixed GET blocking not to prevent register and forget from working Added field in database to indicate administrators Prevented "password" fields from being displayed in lists Added the 2nd field to self param Encrypt passwords when using form_insert function Encrypt passwords if they're being changed through form_update Fixed number validation when validating a 0. Added a text input validation
0.06 Added autocomplete to login form Added form_delete function Added strong password enforcement Removed debug logs from captcha procedure Added logging when database gets changed
0.05 Fixed xss to check all array elements when calling fetchrow_array Replaced all GET with POST functions, and prevent futher usage of GET Added form_edit function Fixed missing hidden id in form function Updated param function to strip unsafe characters
0.04 Updated form to handle hidden field, and input values Added textarea, and readonly fields Included dropdown with SQL in the schema support Added form_create_table Added form_insert Added form_list Added HTML::Entities for encoding output string (prevent cross site scripting) Changed the cookie's session ID to reset on every click Make the cookie secure
0.03 Added no-cache tags to header function Added input validation procedure Added input validation for tokens Moved valid_email procedure into validate_input Fixed omission of $forgot parameter check on sub forgot Added reCaptcha
0.02 Added registration option (including Net::SMTP) Changed password encryption to a salted hash Added forgotten password option Logging all messages being displayed
0.01 Initial version
TODO
There is still plenty to do.
BUGS
Please report any bugs or feature requests to bug-cgi-authenticationframework at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=CGI-AuthenticationFramework. I will be notified, and then you'llautomatically be notified of progress on your bug as I make changes.
SUPPORT
You can find documentation for this module with the perldoc command.
perldoc CGI::AuthenticationFrameworkYou can also look for information at:
RT: CPAN's request tracker (report bugs here)
http://rt.cpan.org/NoAuth/Bugs.html?Dist=CGI-AuthenticationFramework
AnnoCPAN: Annotated CPAN documentation
CPAN Ratings
Search CPAN
ACKNOWLEDGEMENTS
LICENSE AND COPYRIGHT
Copyright 2013 Phil Massyn.
This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.
See http://dev.perl.org/licenses/ for more information.
DISCLAIMER
This module has not been scrutinized yet. It may very well contain security issues. Although unintentional, you should excersize caution, and not start deploying production systems on this code. Any bugs or issues raised will be rectified. Use this module at own risk.
2 POD Errors
The following errors were encountered while parsing the POD:
- Around line 1967:
'=item' outside of any '=over'
- Around line 1971:
You forgot a '=back' before '=head1'