The first approach was to try to incorporate mod_auth to authenticate users. Unfortunately, if I used mod_auth pointed at just a file, there was no way to have wildcards in the file to allow the users to use any ID to get in. Remember, I don't want to prevent anyone from getting to the app, I just want to know who is using it. Using mod_auth_ldap didn't work any better. Despite many attempts to get a test Fedora Core 3 box running Apache to talk to the company's Active Directory server, I could never get the LDAP authentication to work. On the HP box it was even worse: the child process would die whenever the LDAP module was invoked.
But I didn't really need the authentication that mod_auth provides, I just needed a way to identify the users. So, I came up with the idea of using a cookie to store the value of the user's login ID. I added this to the CGI script that the users wanted to run:
EndOfHTML print end_html;
cookiecheck.cgi then calls setlogincookie.cgi which takes the value assigned to loginID and places it in a cookie and sends it to the browser, like so:
Then setlogincookie.cgi redirects the user back to the originally desired CGI script, and the whole process starts over again. But this time, the user will have a cookie and will therefore just be passed the contents of the desired part of the CGI script. This approach also has the advantage or preventing the user from just hitting enter without providing a login name to try to get to the app. Just hitting enter at the form will assign no value to the loginid variable and so will fail. I set the cookie to expire after 1000 days so that they only have to go through this process once (at least for a long time).
One other thing: You also need to tell Apache to log the cookies. I used the following CustomLog setting in the httpd.conf file to put the cookie entries into a separate log file to make it easier to analyze:
CustomLog logs/cookies "%{loginid}C %h %t %r" The above says to log the value of the loginid cookie, followed by the client host address, the date/time, and the document requested.
I used this document to figure out a way to both set a cookie in the header and redirect the user back to the originally-desired CGI script. This was important, because most docs I found on redirects said NOT to send a header; but if I don't send a header then the cookie wouldn't get set. I'll show the code from that doc just in case it disappears in a few years.
See also the CGI 101 Book, in particular chapters 10 & 17.
03/24/2005