|
| 10.7.2 Controlled Access Applications - Continued |
|
We store user names, passwords and permissions in the passwd
table. Passwords are one-way encrypted, so a hacker
can't see all the passwords for everyone if there's a security
breach.
The mkadmin
function initializes our table, creating our first
admin user. Therefore, first we must run mkadmin
once from
the command line (because no web user should be allowed to re-init
the table!):
texis passwd/mkadmin.html
It creates the password table and the admin
user, prompting
us for a password to assign for the user. Now we can go to our
browser and login as the admin
user. Since admin
has
full privileges, it's best we now create some non-admin "ordinary"
users via the Create User
link.
The core function is verifyuser
. This is called at the
top of every protected page in the application, via our look
function. It checks the user and password against the table,
and redirects to a login page if the user hasn't logged in or
has a bad password. A session cookie is created with the
user's data, so they only have to login once per session.
The login
function prompts for the login, for non-logged
in users. It submits to the protected application entry point,
main
in our patent script.
The okperm
function checks a user's permission level,
after we've verified their password with verifyuser
.
We can use this to deny non-admin users access to the admin pages,
such as createuser
and deluser
: note the calls to
<okperm>
in those functions.
|