#set TITLE = "Restricting access (passwords, cookies, etc.)"
#include top


.SH Password-protection
Here's a method for setting up password-protection for certain pages.
.LP
1) Build a page that uses a \fC<input type=password> field.
.LP
2) Submit this to a target page that compares the 
entered value with the current password, and if they match, sets
a cookie to the value of the password, like this:
.nf
 \0 #if @@inpw = @@ADMINPW
 \0     #+ Set-Cookie ABC_ADMIN ....
 \0 #endif
.fi
The cookie can be made to expire at the end of the user's browser session by 
not specifiying \fCSet-Cookie\fR's \fCExpires:\fR attribute.
.LP
3) The current password can be defined in your config file:
.nf
  \0 varvalue:  ADMINPW=flibby
.fi
.LP
4) Then for each page you wish to restrict access to, near the top, 
put something like this:
.nf
 \0 #cookie ABC_ADMIN
 \0 #if @@inpw != @@ABC_ADMIN
 \0   <h2>Access denied.</h2>
 \0   #exit
 \0 #endif
.fi


#include space

.SH REMOTE_HOST or REMOTE_ADDR
You can get the user's REMOTE_HOST or REMOTE_ADDR and compare it against a known list
to enforce restricted access.
The user's REMOTE_HOST also serves well as a SHSQL identity (used for record locking
and identification on transaction logs).
.nf
 \0 #set USER = $getenv( "REMOTE_HOST" )
 \0 #if @@USER in fred@abc.com,george@abc.com
 \0   #+ Set-Cookie .... 
 \0 #endif
 \0 #sql identity @USER
.fi

#include space

