.ig >>
<STYLE TYPE="text/css">
<!--
        A:link{text-decoration:none}
        A:visited{text-decoration:none}
        A:active{text-decoration:none}
        OL,UL,P,BODY,TD,TR,TH,FORM { font-family: arial,helvetica,sans-serif;; font-size:small; color: #333333; }

        H1 { font-size: x-large; font-family: arial,helvetica,sans-serif; }
        H2 { font-size: large; font-family: arial,helvetica,sans-serif; }
        H3 { font-size: medium; font-family: arial,helvetica,sans-serif; }
        H4 { font-size: small; font-family: arial,helvetica,sans-serif; }
-->
</STYLE>
<title>quisp: restricting access (passwords, cookies, etc.)</title>
<body bgcolor=99cc99 vlink=0000FF>
<br>
<br>
<center>
<table cellpadding=2 bgcolor=FFFFFF width=550 ><tr>
<td align=right><a href="quisp_home.html">
<img src="img/quisp2.gif" border=0><br><small>quick server pages</a> &nbsp; &nbsp; </td></tr>
<td>
.>>

.TH Restricting access (passwords, cookies, etc.) TDH "12-APR-2004   TDH scg@jax.org" 


.SH Password-protection
Here's a method for setting up password-protection for certain pages.
.LP
1) Build a page that uses a \fC<input type=password> field.
.LP
2) Submit this to a target page that compares the 
entered value with the current password, and if they match, sets
a cookie to the value of the password, like this:
.nf
 \0 #if @inpw = @ADMINPW
 \0     #+ Set-Cookie ABC_ADMIN ....
 \0 #endif
.fi
The cookie can be made to expire at the end of the user's browser session by 
not specifiying \fCSet-Cookie\fR's \fCExpires:\fR attribute.
.LP
3) The current password can be defined in your config file:
.nf
  \0 varvalue:  ADMINPW=flibby
.fi
.LP
4) Then for each page you wish to restrict access to, near the top, 
put something like this:
.nf
 \0 #cookie ABC_ADMIN
 \0 #if @inpw != @ABC_ADMIN
 \0   <h2>Access denied.</h2>
 \0   #exit
 \0 #endif
.fi


.ig >>
<br><br><br>
.>>

.SH REMOTE_HOST or REMOTE_ADDR
You can get the user's REMOTE_HOST or REMOTE_ADDR and compare it against a known list
to enforce restricted access.
The user's REMOTE_HOST also serves well as a SHSQL identity (used for record locking
and identification on transaction logs).
.nf
 \0 #set USER = $getenv( "REMOTE_HOST" )
 \0 #if @USER in fred@abc.com,george@abc.com
 \0   #+ Set-Cookie .... 
 \0 #endif
 \0 #sql identity @USER
.fi

.ig >>
<br><br><br>
.>>

