I have created a web server using the TCPnet HTTP server. I need to implement a way of allowing various users to log into the server, each having different levels of authority (i.e. what settings they may view or change). More specifically, I wish to have regular 'users' who may log in with a username and password; and an administrator who would log in with his own username and password.
It seems that using the inbuilt Authorisation Realm string won't be sufficient for my needs. I don't think that this system can provide me with a set of different usernames and passwords, and even if it did, I don't think I can read the username from within my own code. I will therefore implement my own username and password login page using a simple form.
The obvious question now is how to keep track of sessions and who the various CGI requests are coming from. I did initially hope that I could simply use the function http_get_session to attach a unique ID to each browser that is currently communicating with the web server. But I discovered that http_get_session is only useful for that moment in time between calls to cgi_process_data and cgi_func, to ensure that the right response is sent to the right browser should two browsers submit a form query at exactly the same time.
So, the only other method I can think of at the moment would be to make use of the function http_get_info, which returns the IP and MAC addresses of the remote machine. What I would propose to do is to record that remote IP and MAC whenever I receive a successful log-in form query. If, for instance, I receive a successful administrator log-in form query, I would then only allow cgi_func to properly process administrator CGI pages when http_get_info returns the IP/MAC that the administrator logged in from.
My question is, are there any reasons why this shouldn't work? Can I depend on http_get_info to *always* provide me with the IP/MAC of the remote machine? Or are there any network configurations (e.g. firewall) where http_get_info may be prevented from working? The Keil documentation itself does actually suggest that the http_get_info function may be used to restrict access to specific remote machines, so I am feeling fairly positive this will work.
I'm going to get on and give it a go in the meantime, but I would appreciate any thoughts or suggestions for alternatives.
Thanks
Trev
Your unit may be affected by a firewall where a huge number of users will show up with the same IP number.
If you use basic authentication, then you can get the web browser to send login information on every page access. Another way is to send a cookie to each user.
Many thanks, Per. I did suspect that the remote IPs could be obscured due to a firewall. However, I am hoping that using just the MAC address, and not the IP, could get around this problem. I think that's the way I'm going to try to implement it tonight so that we can test it.
I think that the TCPnet HTTP server is very limited in terms of what you can do with basic authentication. I'm not sure if there's a way to make the browser resend the information on each request with this particular server, but I will recheck the documentation now. Also, I have yet to find any references to generating cookies with the Keil server but again I will do some more reading.