Hi, I'm with some difficulties in make this.
I have a login HTML form, and I want to know if the user and password match with the information in my MySQL server.
What is the best way to do it?
Thank you very much
+1
A:
Always store hashed values of passwords. When you have to validate the user credentials, hash the password input by the user and compare it against the hashed password value corresponding to the particular user.
Alan Haggai Alavi
2009-11-27 02:01:26
i have that in atention, i was looking more for an programming reply or some explanation on how to do.
Davidslv
2009-11-27 12:30:02
+2
A:
Create a Mason component that validates your username/password combination against MySQL with DBI and returns true or false if it is passed username and password in the %ARGS hash. Then load the component in the top of your login form, using the return value to determine whether to show the login form or redirect to your content.
MkV
2009-12-19 13:25:00
+3
A:
I know this question is a little old now but I thought I'd answer for posterity.
I think you have a few options.
One option is to not use HTML::Mason for the password validation at all. This is what we used to do. Since your HTML::Mason page is likely running inside a web server you can probably use it to do your username and password validation. For example if you're using Apache and mod_perl to serve your site, there are several modules for authentication, including one that can talk to MySQL and validate against a user table with username and password columns. Check the documentation for mod_authn_dbd for Apache 2.2. I recommend this approach.
Another way to do it is to use a framework like Catalyst. Catalyst already has the plugins for doing the kind of authentication you require and it will save you having to think about a most of the issues you'll need to code for yourself if you try and do it 100% in Mason. You can still use HTML::Mason for your page templates.
If you've got your heart set on using HTML::Mason to do the authentication then I would do it this way:
Place an autohandler in the folder you wish to protect -- note that all sub-folders will receive the same authentication protection
In an <%init> block in the autohandler, check for a valid session token in the cookie. If none exists, redirect ($m->redirect) to your login form. Otherwise, do nothing -- the autohandler will continue running and the page will be served.
In your login form handler, extract the username and password in an <%args> block. Using the username, retrieve the hashed password from the database. Extract the salt, prepend it to the plaintext password provided by the user and re-hash it. Then compare the hash strings. If they don't match, redirect back to the login page with an error. Otherwise pass through.
If parts of the above don't make sense look around on this site for "salting passwords" etc. As the original replier noted, it's bad karma to store plaintext passwords in the database. :-)
Hissohathair
2009-12-20 22:54:49
I would say that using Catalyst and HTML::Mason together would be fine if someone else had already gone to the enormous headache of setting up Catalyst (and it's gazillion module dependencies) in the first place.
PP
2009-12-20 22:58:06
Thanks Hissohathair!Is this kind of reply i was looking for. Gonna study what you said!Thanks again.Happy X'mas for all!
Davidslv
2009-12-23 12:32:26