This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TCPNet HTTP: User / Admin log-in ability

I have created a web server using the TCPnet HTTP server. I need to implement a way of allowing various users to log into the server, each having different levels of authority (i.e. what settings they may view or change). More specifically, I wish to have regular 'users' who may log in with a username and password; and an administrator who would log in with his own username and password.

It seems that using the inbuilt Authorisation Realm string won't be sufficient for my needs. I don't think that this system can provide me with a set of different usernames and passwords, and even if it did, I don't think I can read the username from within my own code. I will therefore implement my own username and password login page using a simple form.

The obvious question now is how to keep track of sessions and who the various CGI requests are coming from. I did initially hope that I could simply use the function http_get_session to attach a unique ID to each browser that is currently communicating with the web server. But I discovered that http_get_session is only useful for that moment in time between calls to cgi_process_data and cgi_func, to ensure that the right response is sent to the right browser should two browsers submit a form query at exactly the same time.

So, the only other method I can think of at the moment would be to make use of the function http_get_info, which returns the IP and MAC addresses of the remote machine. What I would propose to do is to record that remote IP and MAC whenever I receive a successful log-in form query. If, for instance, I receive a successful administrator log-in form query, I would then only allow cgi_func to properly process administrator CGI pages when http_get_info returns the IP/MAC that the administrator logged in from.

My question is, are there any reasons why this shouldn't work? Can I depend on http_get_info to *always* provide me with the IP/MAC of the remote machine? Or are there any network configurations (e.g. firewall) where http_get_info may be prevented from working? The Keil documentation itself does actually suggest that the http_get_info function may be used to restrict access to specific remote machines, so I am feeling fairly positive this will work.

I'm going to get on and give it a go in the meantime, but I would appreciate any thoughts or suggestions for alternatives.

Thanks

Trev

0