Question about user authentication - login

493 views
Skip to first unread message

Nejc Medved

unread,
Jun 24, 2017, 8:59:08 AM6/24/17
to civetweb
Hi guys,

first I want to say a big thank you to civetweb developers! In our company we have recently started integrating civetweb server!

For now everything goes very smothly exept one thing - user authentication.

Basically we want to lock some urls if "user" is not authenticated. Is there any example how to make a "login" page when someone want to access specific url?

I was looking in examples or something useful in API section but I am without any solution for now!

Thank you in advance!

Nejc

Stephen Conley

unread,
Jun 24, 2017, 5:11:36 PM6/24/17
to Nejc Medved, civetweb
There's a few ways you could implement this.  In my opinion, the best way to do this is to serve an HTML login form, and have your program set a cookie when the user logs in with some ID that represents their login session.

Keep track of that ID on the server side through whatever means you like (in memory, database, etc.).  Expire it whenever you want to.

If you want something quicker, though, you could use HTTP Basic Authentication.  Civet support something like this out of the box using global_auth_file ... You can see the docs in the user manual.  Here's a little snip of how to set it up:

http://www.noahpendleton.com/2015/08/civetweb-authentication.html

Basic HTTP Authentication is implemented with HTTP headers, so you can also implement it yourself.

Sorry I don't have any specific code examples to show you but maybe this helps a bit!


Steve

--
Sourceforge
https://sourceforge.net/projects/civetweb/
---
You received this message because you are subscribed to the Google Groups "civetweb" group.
To unsubscribe from this group and stop receiving emails from it, send an email to civetweb+unsubscribe@googlegroups.com.
To post to this group, send email to cive...@googlegroups.com.
Visit this group at https://groups.google.com/group/civetweb.
To view this discussion on the web visit https://groups.google.com/d/msgid/civetweb/b1d7ca9b-b6d7-4074-9cb3-08c60f97b607%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

bel

unread,
Jun 25, 2017, 1:12:57 PM6/25/17
to civetweb, medo...@gmail.com


On Saturday, June 24, 2017 at 11:11:36 PM UTC+2, Steve wrote:
There's a few ways you could implement this. 
....

If you want to lock certain directories, there is one additional option: Just have a ".htpasswd" in the directory you want to lock - you don't need to set a "global_auth_file" then. You can generate the file with the -A option, just like in Steve's answer above (http://www.noahpendleton.com/2015/08/civetweb-authentication.html)

If embed civetweb.c into your C/C++ application, and use a recent version, you could use the "mg_set_auth_handler" API function.
Within your "mg_authorization_handler", you can check all HTTP headers (and some other data). If you go for this option, I would also recommend cookie based authentication. If a request does not have the proper cookie, just send
"mg_printf(conn, "HTTP/1.1 303 See Other\r\nLocation: /login\r\n\r\n");" and return 0, to redirect to a login (that needs to be implemented as well).


Nejc Medved

unread,
Jun 26, 2017, 11:43:38 AM6/26/17
to civetweb, medo...@gmail.com
Guys,

I really appreciate the answers!

I was thinking in the same way as you provided me the answers.

- I have already locked directory browsing but not hide the files yet. Someone can not browse http://ip:port/dir/ but can view the file if http://ip:port/dir/file.html

So, could the final solution be:

1. I make a login page where user enter username and password. I check if username and password are valid and I can send a response either successful or not and save a cookie at client.

2. But how can I then grant access to some .js, .html and .css files? Before auth I want them all locked and after that unlocked.

Thank you for answers in advance!

Nejc

bel

unread,
Jun 26, 2017, 3:03:01 PM6/26/17
to civetweb, medo...@gmail.com


On Monday, June 26, 2017 at 5:43:38 PM UTC+2, Nejc Medved wrote:

So, could the final solution be:

1. I make a login page where user enter username and password. I check if username and password are valid and I can send a response either successful or not and save a cookie at client.

2. But how can I then grant access to some .js, .html and .css files? Before auth I want them all locked and after that unlocked.


Again, there are different ways to do this. What's easiest and fits best to the rest of the applications depends. Are you using a pre-built standalone server, or embedding it into a C/C++ application? You are serving real files, or generating contents from scripts? What server side scripts are you using? What clients do you need to consider - just web browsers?

If you use HTTP digest auth (i.e., if you put a .htpasswd file the locked directory), a browser will automatically show a standard login mask when you enter a locked directory. It's comfortable since you don't need to do anything else, like redirects, ... but it cannot be customized at all. Just try it, to see if you like it.

You could use an index script to serve all files that are supposed to be locked. You don't have the files in the document_root at all, but just the script.

... and some other options, depending on the detailed use case.

Reply all
Reply to author
Forward
0 new messages