Self-Registering Password Protection, Part 2
By Randal L. Schwartz
Last month, I introduced a mod_perl authentication and authorization module that permitted an extended format htpasswd-like file. The purposes of the extensions were to associate an email address with each user, and give a list of "keys" that the user would have in his or her permission. Then the htaccess files would refer to a series of "locks" needed for access to a particular file or directory, and access was granted only when the user had the keys for all the locks.
But the best part of the module was that we redirected any failed authentications and authorizations to a CGI program. In the case that the program recognized the unauthorized user's email address, it would allow the user to create a username and password.
It's time to present the CGI handler to conclude the picture. Before we begin, you should check the
correction to last month's code.
The code for the CGI handler is shown in
Listing 1. Line 1 turns on taint mode, and because I use a child process later, I set the PATH in line 4 to keep taint mode from failing.
Line 6 is a reminder that this script won't work if I move it to the /perl directory (my Apache::Registry area) because I use nested subroutines and file-scoped my variables—a deadly combo with that module.
