RSS FeedA Perl library for Hash based authorization.
For the latest version of documentation for Digest::Auth please view the POD documentation that is included with the Perl Module.
Methods:
Parameters:Here is a simplistic script that utilizes the base functions of Digest::Auth
Code:
#!/usr/bin/perl -w
use Digest::Auth;
use CGI;
use DBI;
my $dsn = "DBI:mysql:database=mydatabase";
my $user= "myuser";
my $pass= "mypass";
my $mydbh = DBI->connect($dsn,$user,$pass,{'RaiseError' => 1})my $Auth = Digest::Auth->new(dbh => $mydbh);
my $query = CGI->new();
print "Content-Type: text/html\n\n";
if($query->param("ACTION") eq "display_login"){# Begin a dialog with User
my %iresults = $Auth2->Initialize();
}elsif($query->param("ACTION") eq "display_login")# Autheticate User
my %vresults = $Auth2->Validate(userid => "Auth-Digest-Admin",
cert => $hash,
password => "Auth-Digest-Password");
}else{# Authorize User
print ($Auth->Authorize(userid => $cresults{userid},hash => $cresults{hash}) == 1) ? "Authorized" : "Not Authorized";}
Methods
Declaring a new instance of Digest::Auth is easy.
This declares a new instance of Digest::Auth. You can pass any number of Parameters to it in this method however at minimum it is a good practice to pass the database handel Parameter since most of the other functions requrire it to work properly.
Code:
# minimalist usage
my($Auth)= Digest::Auth->new();
# OR
# with the basics
my($Auth)= Digest::Auth->new(dbh => $my_dbh);
Digest::Auth keeps tabs on how long sessions are allowed to last. To change or set options you can use the Set() and Get() methods. Set() takes one or multiple arguments as a Hash.
Code:
# Set multiple arguements at once or only one.
my $reuslt = $Auth->Set(connection => 7200,
validation => 300,
idletime => 600);
# you get a result of 1 for each successful change so we can do this.
if($result == 3){print "All changes successful!";
}else{print "One or more change didn't work.";
}
Digest::Auth keeps tabs on how long sessions are allowed to last. To change or set options you can use the Set() and Get() methods. Get() takes single variable arguements.
Code:
# Find the value of Auth->{datamapping}{session}{table}my($CurrentValue) = $Auth->Get(datamapping,session,table);
# Find the value of connection
my($CurrentValue) = $Auth->Get(connection);
Establish a session with Initialize(). Ideally you would next use WriteScript() next unless compatmode is on to convert the users credentials to secure hashes before submitting the data back for validation.
Code:
my %iresults = $Auth->Initialize()
print "Session Validated: \n"
. "\n Cert: " . $iresults{cert}. "\n IP: " . $iresults{ip}. "\n Stamp: " . $iresults{stamp};
Use Validate() to authorize the users credentials after a session has been initalized. Depending on the setting of compatmode there is a different argument you need to supply. Arguements are in a hash format. See below:
Code:
# Method Options: opts{userid, cert, hash, pass}# userid, cert, (hash || password) required
#
# + use only hash when self->compatmode = 0
# + use only pass when self->compatmode = 1
#
# The way you would normally call the method
my %vresults = $Auth->Validate(userid => $your_userid, cert => $your_cert, hash => $your_hash);
# Or do it with compat mode on....
my $SetReselt = $Auth->Set(compatmode => 1);
my %vresults = $Auth->Validate(userid => $your_userid, cert => $your_cert, password => $your_password);
if( $vresults{result} ){print "Session Validated: \n"
. "\n Result: " . $vresults{result}. "\n UserID: " . $vresults{userid}. "\n Hash: " . $vresults{hash}. "\n Cookie: " . $vresults{cookie};}else{print "Session could not be validated.";
}
This takes the users credentials and attempts to authorize the validated user. It takes only two arguements, the userid and hash. If usecookies is off the you will need to call this function with arguments as below, if usecookies is on then it can be called without arguments.
Code:
# standard way to do it
my $results = $Auth->Authorize();
# OR
# usecookies is off, do it the hard way.
my $results = $Auth->Authorize(userid => $userid, hash => $hash);
Method to checks to see if based on the ruleset a session can be established. This is automatically called but can also be called manually. Returns a Hash.
Code:
$Auth->Avalible();
Logs entry of a bad session attempt.
Code:
$Auth->AttemptAdd();
Creates a lockout for a username/ip.
Code:
$Auth->LockAdd();
Expires a lock entry.
Code:
$Auth->LockExpire();
This is an experimental automatic authorization method that chooses which functions are required. I would reccomend not using it until the method becomes more stable.
Code:
$Auth->AutoAuth();
To make your life easier if you don't have an existing table structure you can make all the tables for your database by just calling the TableMake() method.
Code:
# Make all the tables
TableMake(table => 'all');
# Just make the session table
TableMake(table => 'session');
# Just make the session table
TableMake(table => 'sessionattempts');
# Just make the session table
TableMake(table => 'sessionlocks');
# Just make the session table
TableMake(table => 'user');
This method simplifies adding a new user to the user table. Like all the other methods, they respect the datastructure, which means if you change the datamapping of user to myusers for the table name it will populate the myusers table instead.
Code:
$Auth->UserAdd(user => $myusername, password => $mypassword);
This is a debugging tool that helps neatly print SQL statements out in HTML when module for debug messages.
Code:
$Auth->SQL_Die($subroutine_calling_method, $sql_code_executed, $error_code_received);
A debugging tool that appends data to the debug info.
Code:
$Auth->DebugAdd();
A debugging tool that prints out the debug information.
Code:
# data = Debug Text, level = l through 3 (1:Error,2:Warning,3:Information);
$Auth->DebugShow($data,$level);
Retreives cookie information. Note: when using usecookies you do not have to parse this and put it into the Authorize hash since it is done automatically for you.
Code:
# by default if you have no arguments you
# get the data from the cookiename pararameter.
$Auth->CookieGet();
# Get the hash data from a cookie other then the default cookie.
$Auth->CookieGet(name => $mycookiename);
Set some hash data into the cookie for reuse. Note: when using usecookies you do not have to take the hash results of Authorize() and put it into this method since it is done automatically for you.
Code:
# Set some hash data into the cookie for reuse.
$Auth->CookieSet(data => $data, # This is the only required parameter
name => $name, # If excluded defauls to: cookiename parameter
domain => $domain, # If excluded defauls to: domain parameter
path => $path, # If excluded defauls to: "/"
gmt => $gmt); # If excluded defauls to: now plus idletime parameter
Returns a javascript formatted to print out.
Code:
$Auth->WriteScript( $Auth->JS_Digest() );
Returns Javascript clientside code to produce hashes.
Code:
$Auth->JS_Digest(); # Print SHA1 client javascript
$Auth->JS_Digest(digest => "MD5"); # Print MD5 client javascript
The Keygen() method takes two arguements; Key Length (1 to 128) and Complexity (1 to 3). Key length is the length or number of characters you would like to have returned. Complexity is what type of data (1 Upper case letters, 2 uppercase letters and numbers, 3 uppercase letters, lowercase letters and numbers). By design Digest::Auth uses complexity 3. Since we are using by default 10 digit alpha-numeric random keys we are looking at around 1 in 58 to the power of 10 (about 1 in 430,804,206,899,405,800).
Code:
$Auth->Keygen(10,3); # Print SHA1 client javascript
$Auth->Keygen(digest => "MD5"); # Print MD5 client javascript
Parameters
Passes an open Database handel to the Digest::Auth perl module. If you dont have access to a database server there is a great module called SQLite (http://www.sqlite.org/) that will do the trick, all it requires is downloading the Perl Module and reading a few peices of documentation. This module was designed to originally work with MySQL, however any SQL compliant Database provided there is a DBI/DBD connecter should work.
Code:
# connect to a database
use DBI;
my $dsn = "DBI:mysql:database=mydatabase";
my $user= "myuser";
my $pass= "mypass";
my $mydbh = DBI->connect($dsn,$user,$pass);
$Auth->Set(dbh => $my_dbh); # pass the database handel
Debug mode spews additional information. Use 1=on or 0=off. Default is off.
Code:
$Auth->Set(debug => 1); # turn Debug on
This variable stores Debug information in HTML format when the parameter debug is is active. While you can't set this variable information, you can retrive it easily.
Code:
$Auth->Get(debuginfo);
Cookie name to use for authorization. This variable dertermines the name of the cookie that maintains user session credentials. In most cases you can leave it as is.
Code:
# Cookie name to use for authorization
$Auth->Set(cookiename => "MyCookieCert");
Domain name to use for the for cookie, etc. If you are using cookies it is required for them to work properly.
Code:
# change to accept everything from .avitar.net
$Auth->Set(domain => ".avitar.net");
Use cookies to maintain sessions. By default to make programmers lives easier
Code:
$Auth->Set(usecookies => 0); # optional, puts the responsibility
# on the programmer to carry session data
# this is the reccomended behavor for higher compatibility
# although it reduces ease of use.
$Auth->Set(usecookies => 1); # default behaviour
Hash Digest to use. An internal function DigestMake() looks at the digest Parameter and will try to make a new instance via SomeDigest->new(), then it trys to add data via SomeDigest->add(), and will finally try to get a hex digest by calling SomeDigest->hexdigest(). This basically means that if you make an object oreinted digest with these standard functions it will tie in without any problems.
Code:
$Auth->Set(domain => "Digest::SHA1"); # This is the default value
$Auth->Set(domain => "MD5"); # Use the alternate MD5 hash algorythm
$Auth->Set(domain => "My::New::Hash"); # Use an unknown hash type
Maximum total length of time a session is allowed to be. Default is 86400 seconds (24 hours). To disable change to -1. This will expire an active session if it exceedes this amout of time which helps to prevent some bot/macro'ed actions that would keep the user active indefinately. The user should be able to log back in afterwards immediatly. This combined with a Human Readable Identification code will keep people from abusing login times. For help with random text you can use the Keygen() method.
Code:
$Auth->Set(connection => 7200); # change to 2 hours
# OR
$Auth->Set(connection => -1); # change it to unlimited
Amount of time a user has to enter a username and password and submit it back to the server before their validation cert/key becomes invalid. Default is 600 seconds (10 minutes). To disable change to -1.
Code:
$Auth->Set(validation => 300); # change it to 5 mins
# OR
$Auth->Set(validation => -1); # change it to unlimited; not reccomended
Amount of time a user has to idle in the system without their session expiring. Default time is 3600 seconds (60 minutes). To disable change to -1.
Code:
$Auth->Set(idletime => 900 ); # change it to 15 minutes
# OR
$Auth->Set(idletime => -1); # change it to unlimited; not reccomended
Number of times to retry intitializing a session if the key is a duplicate. Note that a collision in cert keys is extreemly rare. Since we are using by default 10 digit alpha-numeric random keys we are looking at around 1 in 58 to the power of 10 (about 1 in 430,804,206,899,405,800).
Code:
# Try 20 times for a unique key before we give up and reject the init.
$Auth->Set(initcertretry => 20);
This variable controls how long it takes for bad login attempts to expire. This is applies to loggin in on an invalid session hash, username, ip address, etc.
Code:
$Auth->Set(forgiverate => 86400);
Maximum connections/sessions per IP address. Default is 1. For an unlimited number of sessions per IP address (Highly unreccomended) use the value of -1. If you were working with serveral machines that were NAT'ed behind a router you would want to have one entry per user beihnd that single IP address. Typically this is not a big deal for big businesses that have a huge block of IP's, but when working with small businesses you may want to have this set from 10 to 50 for companies that use one external IP off a T1/DSL/Cable line for 10 to 50 users (after which usually the companies tend to grow and buy a block of IP addresses). Setting this above 1 tends to reduce security by opening a possible man in the middle attack. Then again it may be the lesser of two evils where people would share a single username and password circumventing security in a worse way.
Code:
$Auth->Set(maxconperip => 10); # change it to 10
# OR
$Auth->Set(maxconperip => -1); # change it to unlimited
Maximum connections/sessions per user name. Default is 1. For an unlimited number of sessions per IP address (Highly unreccomended) use the value of -1.
Code:
$Auth->Set(maxconperuser => 10); # change it to 10
# OR
$Auth->Set(maxconperuser => -1); # change it to unlimited
Maximum number of times a user can enter a bad password before they get banned/locked out. Default is 5. For an unlimited number of sessions per IP address (Highly unreccomended) use the value of -1.
Code:
$Auth->Set(maxconperuser => 10); # change it to 10
# OR
$Auth->Set(maxconperuser => -1); # change it to unlimited
WARNING: THIS REDUCES SECURITY: Change to 1 to enable compatibility for non-javascript browsers. Instead the password will be passed in plaintext to the server with the other credentials which makes a hash out of the credential data and compairs it to the stored user credentials and the session credentials to attempt to validate or authorize the users.
Code:
$Auth->Set(compatmode => 1); # Enable compat mode
# OR
$Auth->Set(compatmode => 1); # Disable compat mode (default setting)
This determines how bans/locks for rule violations are handeled. In most cases you can just leave these as is. The ban length goes up with each additional rule violation that occours within the forgiverate. This is one of the trickier items to configure.
The defaults are: 5 min, then 15 min, then 1 hr, then 1 day, then permenent. You can add or remove levels in between each section if you want for the ban length rules. All times are in seconds, and you can use -1 for permenent. The library expects concurrently increasing ban lengths.
Code:
# make all bans permenent
$Auth->Set(banlength => [-1]);
# make all bans 1 h
$Auth->Set(banlength => [3600]);
# change bans to 10 min, 2 hrs, 2 hrs, 2 hrs, then permenent.
$Auth->Set(banlength => [900,7200,7200,7200,-1]);
Optionally use this option if you are using this module with an existing user database. It allows you to modify the column names the module utilizes. The first level of the hash array corrosponds. The changes are immediatly respected.
Code:
$Auth->Set(
datamaping =>
(session => {table => "session",
ip => "ip",
key => "key",
hash => "hash",
userid => "userid",
firstactive => "firstactive",
lastactive => "lastactive",
},
sessionlocks => {table => "sessionlocks",
ip => "ip",
stamp => "stamp",
expires => "expires",
expired => "expired",
key => "key",
hash => "hash",
userid => "userid",
type => "type",
},
sessionattempts => {table => "sessionattempts",
ip => "ip",
stamp => "stamp",
key => "key",
hash => "hash",
userid => "userid",
},
user => {table => "user",
userid => "userid",
password => "password",
},
)
);
