CGI::AuthenticationFramework - A CGI authentication framework that utilizes mySQL for the user and session management
Version 0.15
Allows the login authentication, registration of user accounts, and password reset of webbased users. It also provides a framework for session management, form and list creation, and basic database management, everything you need to build a full web based application.
Sample CGI script :-
#!/usr/bin/perl use strict; use CGI::AuthenticationFramework; use DBI; use CGI; my $cgi = new CGI; # == connect to the database my $dbh = DBI->connect("DBI:mysql:database=DATABASE;host=SERVERNAME",'username','password') || die $DBI::errstr; # == create the authentication link my $sec = CGI::AuthenticationFramework->new({ dbh => $dbh, cgi => $cgi }); # == create the tables $sec->setup_database(); # run this only once for performance.. No damage to keep it there # == do we go through, or block access.. This is where the rubber meets the road $sec->secure(); # == once we get through that, we can send our headers print $sec->header(); print "<p>\n"; print "This is the secret message.<br>\n"; print "Email Address is $sec->{username}<br>\n"; print "Session ID is $sec->{session}<br>\n"; print "</p>"; print "<a href=\"#\">Me again</a>\n"; # == when we're done, we call the finish function. This clears the data connection, and prints the footer code $sec->finish();
Creates a new authentication connection
my $sec = CGI::AuthenticationFramework->new({ dbh => $dbh, cgi => $cgi });
Defined the database handle to use
Defines the CGI handle to use
The name of the cookie (default is 'my_cookie')
Default header code to include
Default footer code to include
To enable yubikey support, set to 1.
When you enable yubikey support, you have to set the yubi_id and yubi_api fields as well. To get these, you need to sign up at https://upgrade.yubico.com/getapikey/
Defines the timeout before a user has to log on again. Default is 600 seconds.
If you need users to register on their own, set the register option to 1. Default is 0
Optional template that will be used to send the registration email.
use %URL% to define the URL that will be clicked by the user. Use %BASE% for the base URL of the program
Optional subject that will be used
Optional from email address to use
If you need users to have the ability to reset their passwords by emailing a new one to them, set this option to 1. Default is 0. =head4 SMTP server settings
If you have register enabled, you need to specify SMTP settings
The hostname of the SMTP server
The smtpuser and smtppass parameters are optional. If your SMTP server requires you to authenticate, set these two fields.
Defined if you want to use a captcha. Default is 0.
Sign up for a free API from https://www.google.com/recaptcha/admin/create and enter the values in captcha_public and captcha_private
The main gatekeeper.. Checks if the session is valid. If not, pass control to the login screen. If the session is still valid, the timeout is reset, and control is returned to the main program.
Works identical to CGI::header. The only difference is the adding of a cookie to the header, and passing the header value if defined from the new function.
Displays the basic system meny
Function to send the footer, and sign everything off. Call this function last (or if you want to terminate the program
Generates an HTML form based on a schema
form (schema,submit text,hidden func field,title for the header,captcha option,%VALUES)
The field name that will be used in SQL and param calls
The field name that will be displayed
The type of the field, ie text, textarea, dropdown, or password
Defines the size of the field.
Defines the input data check that will be performed to ensure the input validation is passed. Options can be email, password, number or text.
Defines the SQL query to execute that will populate a dropdown list, should you use a dropdown.
Updates the data in the table
input : schema, table name, where
Shows the edit form after an id was passed to it
input : schema, table, title, button text, func field, where
Deletes the entry from the table
input : table, where
Takes the input from a form, and inserts it into a database
Input : schema, table, default values (for readonly fields)
Show the result of a SQL table
input : schema, table, title, linkfield, next func, where, actions
Create a mySQL table based on a schema definition
input : schema, table name
Defines a session variable
input : parameter, value
Retrieves a session variable
input : parameter
Output : value
Call this module once to setup the database tables. Running it multiple times will only introduce excessive load on the DB, but won't delete any tables.
It will create the tables tbl_users, tbl_session, and tbl_logs.
It will also create the default user 'admin', with it's password 'password'. Remember to change this password on your first logon.
Instead of using <a href links, call this function instead. It will embed a proper javascript substitute to ensure no GET urls are posted
input : text, func
Wrapper module
input : schema, func prefix, table
Will show a table of the schema (helpful to debug if the schema is buggy)
Will advise if the user is an administrator
All tables need an id field (auto increment primary key), and a varchar of xx_created_by. The xx_created_by field is populated by the username that created that particular entry. This is used in scenarios where a filter has to be set on only showing items belonging to the particular user. See phonebook2.pl for a practical example.
Phil Massyn, <phil at massyn.net>
<phil at massyn.net>
0.14 Fixed bug when filtering (sorting field -1) Swapped the arrows around Added list paging
0.13 Fixed Bug with showing admin menu when a non admin is logged on Fixed logic problem with validity vs required input fields Fixed a bug with not emailing the registration tokens correctly Prents fields from auto capitalizing on iOS devices Fixed showing the wrong menu when user is no longer logged on
0.12 Send via /usr/bin/sendmail (if it exists) on Unix boxes instead of Net::SMTP Include state on admin page Fixed user2 vs user bug on the registration page
0.11 Fixed bug after adding xx_created_by (did not add ? to values1) Added required check to sub form, with a corresponding div in the style sheet Added required check to sub form_insert Added input validation to sub form_update Updated logging of update, delete and insert Added yubikey and yubiid as validation inputs Changed admin schema to check yubi id as it's input validation Added xx_created_by to tbl_users (so admin module can edit it) Added header and footer css div tags and style sheets Added common font across css Removed table border from cgi and moved to css Fixed security bug - Removed readonly fields from being passed in form_update fields
0.10 Do not show "textarea" in a list Removed Home link from default header code Added additional actions to form_list Updated phonebook example Fixed bug with default admin user generation Fix admin module to use formlist's new actions feature Added xx_created_by field to all our created tables Added schema_dump procedure to display schemas Started adding some basic style sheet detail (system menu) Added system menu to changing passwords Ability to call is_admin without logged on will not call the database System_menu can detect if a user is logged on, and will show one of two menus Added more css to error and success messages Added default value to the schema Added required value to the schema
0.09 Customize register & forget emails Added msg_* to allow customization of feedback messages Added admin module Added funclink to manage hyperlinks through javascript better Delete accounts not validated within 24 hours as part of housekeeping Clean up of logs older than 30 days in housekeeping Change javascript calls to use native cgi->a calls Added a home link to the error messages Add timestamp, IP and user agent of machines used to create account and validate account for legal requirements - This requires a schema update. If you had a version prior to 0.09, your database will need to be updated.
0.08 Change order of form_list by clicking headers Create tbl_session_vars table Added session variables through get_variable and set_variable Added housekeeping to remove orphaned table entries Fixed dropdown bug not selecting the right value - This requires a schema update. If you had a version prior to 0.08, your database will need to be updated.
0.07 Fixed GET blocking not to prevent register and forget from working Added field in database to indicate administrators Prevented "password" fields from being displayed in lists Added the 2nd field to self param Encrypt passwords when using form_insert function Encrypt passwords if they're being changed through form_update Fixed number validation when validating a 0. Added a text input validation
0.06 Added autocomplete to login form Added form_delete function Added strong password enforcement Removed debug logs from captcha procedure Added logging when database gets changed
0.05 Fixed xss to check all array elements when calling fetchrow_array Replaced all GET with POST functions, and prevent futher usage of GET Added form_edit function Fixed missing hidden id in form function Updated param function to strip unsafe characters
0.04 Updated form to handle hidden field, and input values Added textarea, and readonly fields Included dropdown with SQL in the schema support Added form_create_table Added form_insert Added form_list Added HTML::Entities for encoding output string (prevent cross site scripting) Changed the cookie's session ID to reset on every click Make the cookie secure
0.03 Added no-cache tags to header function Added input validation procedure Added input validation for tokens Moved valid_email procedure into validate_input Fixed omission of $forgot parameter check on sub forgot Added reCaptcha
0.02 Added registration option (including Net::SMTP) Changed password encryption to a salted hash Added forgotten password option Logging all messages being displayed
0.01 Initial version
Please report any bugs or feature requests to bug-cgi-authenticationframework at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=CGI-AuthenticationFramework. I will be notified, and then you'llautomatically be notified of progress on your bug as I make changes.
bug-cgi-authenticationframework at rt.cpan.org
You can find documentation for this module with the perldoc command.
perldoc CGI::AuthenticationFramework
You can also look for information at:
RT: CPAN's request tracker (report bugs here)
http://rt.cpan.org/NoAuth/Bugs.html?Dist=CGI-AuthenticationFramework
AnnoCPAN: Annotated CPAN documentation
http://annocpan.org/dist/CGI-AuthenticationFramework
CPAN Ratings
http://cpanratings.perl.org/d/CGI-AuthenticationFramework
Search CPAN
http://search.cpan.org/dist/CGI-AuthenticationFramework/
Copyright 2013 Phil Massyn.
This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.
See http://dev.perl.org/licenses/ for more information.
This module has not been scrutinized yet. It may very well contain security issues. Although unintentional, you should excersize caution, and not start deploying production systems on this code. Any bugs or issues raised will be rectified. Use this module at own risk.
To install CGI::AuthenticationFramework, copy and paste the appropriate command in to your terminal.
cpanm
cpanm CGI::AuthenticationFramework
CPAN shell
perl -MCPAN -e shell install CGI::AuthenticationFramework
For more information on module installation, please visit the detailed CPAN module installation guide.