How to generate http error in script

I wrote script where some login is needed and I want to generate standard
http error when login data is wrong. The script below work on MS-IIS but
fail on Apache. What is the right way?

#!/usr/bin/perl
use strict;
use warnings;
use CGI qw(:cgi);
my $user = param('user');
if($user ne 'test') {&unauth; exit;}
# do something

sub unauth
{
print "HTTP/1.1 401 Unauthorized\n",
"Connection: close\n",
"Content-Type: text/html; charset=utf-8\n\n",
"\n",
"\n",
"

401 Unauthorized access

Re: How to generate http error in script

Petr Vileta wrote:
> I wrote script where some login is needed and I want to generate
> standard http error when login data is wrong. The script below work on
> MS-IIS but fail on Apache. What is the right way?



Instead of

> print "HTTP/1.1 401 Unauthorized\n",

I'd just do:

print "Status: 401 Unauthorized\n",

The web server is supposed to turn the CGI header "Status" into the
proper HTTP syntax.

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

Re: How to generate http error in script

Quoth "Petr Vileta" :
> I wrote script where some login is needed and I want to generate standard
> http error when login data is wrong. The script below work on MS-IIS but
> fail on Apache. What is the right way?
>
> #!/usr/bin/perl
> use strict;
> use warnings;
> use CGI qw(:cgi);
> my $user = param('user');
> if($user ne 'test') {&unauth; exit;}

Don't call functions with &.

> # do something
>
> sub unauth
> {
> print "HTTP/1.1 401 Unauthorized\n",
> "Connection: close\n",
> "Content-Type: text/html; charset=utf-8\n\n",
> "\n",
> "\n",
> "

401 Unauthorized access

Re: How to generate http error in script

Gunnar Hjalmarsson wrote:
> Petr Vileta wrote:
>> I wrote script where some login is needed and I want to generate
>> standard http error when login data is wrong. The script below work
>> on MS-IIS but fail on Apache. What is the right way?
>
>
>
> Instead of
>
>> print "HTTP/1.1 401 Unauthorized\n",
>
> I'd just do:
>
> print "Status: 401 Unauthorized\n",
>
Yeah, of course. I'm stupid ;-) Thanks a lot.
--

Petr Vileta, Czech republic
(My server rejects all messages from Yahoo and Hotmail. Send me your mail
from another non-spammer site please.)

Re: How to generate http error in script

"Petr Vileta" writes:

> I wrote script where some login is needed and I want to generate
> standard http error when login data is wrong. The script below work on
> MS-IIS but fail on Apache. What is the right way?

Why not just configure Apache to do that?

sherm--

--
Web Hosting by West Virginians, for West Virginians: http://wv-www.net
Cocoa programming in Perl: http://camelbones.sourceforge.net

Re: How to generate http error in script

Sherm Pendley wrote:
> "Petr Vileta" writes:
>
>> I wrote script where some login is needed and I want to generate
>> standard http error when login data is wrong. The script below work
>> on MS-IIS but fail on Apache. What is the right way?
>
> Why not just configure Apache to do that?
>
Because I do not use Apache authentication but by parameters on GET method
only. If all parameters are passed right then script return XML file, in
other case must return http 401 error.

--

Petr Vileta, Czech republic
(My server rejects all messages from Yahoo and Hotmail. Send me your mail
from another non-spammer site please.)

Re: How to generate http error in script

On 2007-09-03 03:48, Petr Vileta wrote:
> Sherm Pendley wrote:
>> "Petr Vileta" writes:
>>> I wrote script where some login is needed and I want to generate
>>> standard http error when login data is wrong. The script below work
>>> on MS-IIS but fail on Apache. What is the right way?
>>
>> Why not just configure Apache to do that?
>>
> Because I do not use Apache authentication but by parameters on GET method
> only. If all parameters are passed right then script return XML file, in
> other case must return http 401 error.

In this case 401 is probably wrong. 401 is intended to be used with the
WWW-Authenticate and Authorization headers:

| 10.4.2 401 Unauthorized
|
| The request requires user authentication. The response MUST include a
| WWW-Authenticate header field (section 14.47) containing a challenge
| applicable to the requested resource. The client MAY repeat the
| request with a suitable Authorization header field (section 14.8).
(RFC 2616: HTTP/1.1)

hp


--
_ | Peter J. Holzer | I know I'd be respectful of a pirate
|_|_) | Sysadmin WSR | with an emu on his shoulder.
| | | hjp@hjp.at |
__/ | http://www.hjp.at/ | -- Sam in "Freefall"

Re: How to generate http error in script

Peter J. Holzer wrote:
> On 2007-09-03 03:48, Petr Vileta wrote:
>> Sherm Pendley wrote:
>>> "Petr Vileta" writes:
>> Because I do not use Apache authentication but by parameters on GET
>> method only. If all parameters are passed right then script return
>> XML file, in other case must return http 401 error.
>
> In this case 401 is probably wrong. 401 is intended to be used with
> the WWW-Authenticate and Authorization headers:
>
Yes, right. But what other http error you suggest? I not want to return
Status: 200 and human readable error message. I aspire to deter robots from
trying to download ;-)

Here are errors what I know:
400 Bad Request
401 Unauthorized
402 Payment Required
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required
408 Request Timeout
409 Conflict
410 Gone
411 Length Required
412 Precondition Failed
413 Request Entity Too Large
414 Request URL Too Long
415 Unsupported Media Type
416 Requested Range Not Satisfiable
417 Expectation Failed

--

Petr Vileta, Czech republic
(My server rejects all messages from Yahoo and Hotmail. Send me your mail
from another non-spammer site please.)

Re: How to generate http error in script

On 09/03/2007 09:13 PM, Petr Vileta wrote:
> Peter J. Holzer wrote:
>> On 2007-09-03 03:48, Petr Vileta wrote:
>>> Sherm Pendley wrote:
>>
>> In this case 401 is probably wrong. 401 is intended to be used with
>> the WWW-Authenticate and Authorization headers:
>>
> Yes, right. But what other http error you suggest?
> [...]
> 403 Forbidden
> [...]

I would use that one.

Re: How to generate http error in script

"Petr Vileta" wrote in
news:fbigit$2nj8$1@ns.felk.cvut.cz:

> Peter J. Holzer wrote:
>> On 2007-09-03 03:48, Petr Vileta wrote:
>>> Sherm Pendley wrote:
>>>> "Petr Vileta" writes:
>>> Because I do not use Apache authentication but by parameters on GET
>>> method only. If all parameters are passed right then script return
>>> XML file, in other case must return http 401 error.
>>
>> In this case 401 is probably wrong. 401 is intended to be used with
>> the WWW-Authenticate and Authorization headers:
>>
> Yes, right. But what other http error you suggest? I not want to
> return Status: 200 and human readable error message.

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a
WWW-Authenticate header field (section 14.47) containing a challenge
applicable to the requested resource. The client MAY repeat the request
with a suitable Authorization header field (section 14.8). If the
request already included Authorization credentials, then the 401
response indicates that authorization has been refused for those
credentials. If the 401 response contains the same challenge as the
prior response, and the user agent has already attempted authentication
at least once, then the user SHOULD be presented the entity that was
given in the response, since that entity might include relevant
diagnostic information. HTTP access authentication is explained in "HTTP
Authentication: Basic and Digest Access Authentication" [43].

403 is a perfectly acceptable code to return given your requirements:


10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated. If
the request method was not HEAD and the server wishes to make public why
the request has not been fulfilled, it SHOULD describe the reason for
the refusal in the entity. If the server does not wish to make this
information available to the client, the status code 404 (Not Found) can
be used instead.

--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(remove .invalid and reverse each component for email address)
clpmisc guidelines:

Re: How to generate http error in script

"Petr Vileta" writes:

> Peter J. Holzer wrote:
>> On 2007-09-03 03:48, Petr Vileta wrote:
>>> Because I do not use Apache authentication but by parameters on GET
>>> method only. If all parameters are passed right then script return
>>> XML file, in other case must return http 401 error.
>>
>> In this case 401 is probably wrong. 401 is intended to be used with
>> the WWW-Authenticate and Authorization headers:

I agree with Peter.

In the context of HTTP, user and password form elements are not special
in any way; they're just form data. That kind of login and HTTP auth are
basically oil and water - they don't mix well. If you use a 401 response,
you should pair it with standard HTTP auth. Conversely, if you use an HTML
login form, you shouldn't use a 401 when it fails.

> Yes, right. But what other http error you suggest?

I think "403 Forbidden" would be appropriate. The W3C's description of it
says "authorization will not help", but that simply means that the browser
shouldn't bother prompting for standard HTTP auth info, like it would for
a 401 response.

> I not want to
> return Status: 200 and human readable error message. I aspire to deter
> robots from trying to download ;-)

Note that your script can include content with a 403 response itself, or
you can use Apache's ErrorDocument config directive to specify a document
to return with 403 responses.

sherm--

--
Web Hosting by West Virginians, for West Virginians: http://wv-www.net
Cocoa programming in Perl: http://camelbones.sourceforge.net

Re: How to generate http error in script

On 2007-09-04 02:13, Petr Vileta wrote:
> Peter J. Holzer wrote:
>> On 2007-09-03 03:48, Petr Vileta wrote:
>>> Sherm Pendley wrote:
>>>> "Petr Vileta" writes:
>>> Because I do not use Apache authentication but by parameters on GET
>>> method only. If all parameters are passed right then script return
>>> XML file, in other case must return http 401 error.
>>
>> In this case 401 is probably wrong. 401 is intended to be used with
>> the WWW-Authenticate and Authorization headers:
>>
> Yes, right. But what other http error you suggest? I not want to
> return Status: 200 and human readable error message. I aspire to deter
> robots from trying to download ;-)

Others have already suggested 403. I am adding 404 as a possible
alternative.

Rationale: You are passing username and password as part of the url. So

/foo/bar?user=petr;pass=secret

is acceptable, and

/foo/bar?user=hjp;pass=geheim

is not, because no user "hjp" with password "geheim" was found in your
user database. This is conceptually not much different from

/foo/doc/?id=1234

not being acceptable because you don't a document with id 1234 wasn't
found in your document store, or

/foo/bar/baz.html

not being acceptable because a file foo/bar/baz.html wasn't found below
your document root. In all these cases a lookup for the entity requested
for the browser failed.

hp

--
_ | Peter J. Holzer | I know I'd be respectful of a pirate
|_|_) | Sysadmin WSR | with an emu on his shoulder.
| | | hjp@hjp.at |
__/ | http://www.hjp.at/ | -- Sam in "Freefall"

Re: How to generate http error in script

Sherm Pendley wrote:
> "Petr Vileta" writes:
>
>> Peter J. Holzer wrote:
>>> On 2007-09-03 03:48, Petr Vileta wrote:
>>>> Because I do not use Apache authentication but by parameters on GET
>>>> method only. If all parameters are passed right then script return
>>>> XML file, in other case must return http 401 error.
>>>
>>> In this case 401 is probably wrong. 401 is intended to be used with
>>> the WWW-Authenticate and Authorization headers:
>
>> Yes, right. But what other http error you suggest?
>
> I think "403 Forbidden" would be appropriate. The W3C's description
> of it says "authorization will not help", but that simply means that
> the browser shouldn't bother prompting for standard HTTP auth info,
> like it would for a 401 response.
>
I'm used to see this error when I can go to directory (mean URL) where
nobody can to go. Maybe by some RFC this is right response but by human
logic not :-) My script is in directory where users can to go but must pass
a right parameters or call other scripts. For example
http://www.domain.com/test/ is allowed and return some html code and status
200
http://www.domain.com/test/mytest.cgi is the same, but return xml code
http://www.domain.com/test/othertest.cgi?user=John&pwd=mypwd is good script
calling with right parameters and return status 200 and html code
http://www.domain.com/test/othertest.cgi?user=Joe&pwd=mypwd is good script
calling but with wrong user passed and must return human readable error
message and some appropriate HTTP error. By my mind logically flow from it
that user try _login_ but with _wrong_ username, so the HTTP error should be
the same as human readable message "Bad login" = Status: 401.
But this is the question to controversy :-)
--

Petr Vileta, Czech republic
(My server rejects all messages from Yahoo and Hotmail. Send me your mail
from another non-spammer site please.)


>> I not want to
>> return Status: 200 and human readable error message. I aspire to
>> deter robots from trying to download ;-)
>
> Note that your script can include content with a 403 response itself,
> or you can use Apache's ErrorDocument config directive to specify a
> document to return with 403 responses.
>
> sherm--

--
Petr

Skype: callto://fidokomik

Na mail uvedeny v headeru zpravy nema cenu nic posilat, konci to v PR*
:-) Odpovidejte na petr na practisoft cz

Re: How to generate http error in script

"Petr Vileta" wrote in
news:fbjmp7$8ma$1@ns.felk.cvut.cz:

> Sherm Pendley wrote:
>> "Petr Vileta" writes:
>>
>>> Peter J. Holzer wrote:
>>>> On 2007-09-03 03:48, Petr Vileta wrote:
>>>>> Because I do not use Apache authentication but by parameters on
>>>>> GET method only. If all parameters are passed right then script
>>>>> return XML file, in other case must return http 401 error.
>>>>
>>>> In this case 401 is probably wrong. 401 is intended to be used with
>>>> the WWW-Authenticate and Authorization headers:
>>
>>> Yes, right. But what other http error you suggest?
>>
>> I think "403 Forbidden" would be appropriate. The W3C's description
>> of it says "authorization will not help", but that simply means that
>> the browser shouldn't bother prompting for standard HTTP auth info,
>> like it would for a 401 response.
>>
> I'm used to see this error when I can go to directory (mean URL) where
> nobody can to go. Maybe by some RFC this is right response but by
> human logic not :-)

By human logic, you discussing HTTP return codes here is also wrong. A
few of us nicely suggested an alternative. You can us it or not but
trying to discuss whether your desire to use HTTP status codes when you
are not using HTTP authorization is sensible, the pros and the cons,
those are all off-topic.

Sinan

--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(remove .invalid and reverse each component for email address)
clpmisc guidelines:

Re: How to generate http error in script

"Petr Vileta" writes:

> By my mind
> logically flow from it that user try _login_ but with _wrong_
> username, so the HTTP error should be the same as human readable
> message "Bad login" = Status: 401.
> But this is the question to controversy :-)

401, by definition, refers to standard HTTP authorization. Since you're
not using standard HTTP authorization, it's an incorrect response. It's
not controversial, *every* reply you've received has told you the same.

sherm--

--
Web Hosting by West Virginians, for West Virginians: http://wv-www.net
Cocoa programming in Perl: http://camelbones.sourceforge.net

Re: How to generate http error in script

On 2007-09-04 13:25, Petr Vileta wrote:
> Sherm Pendley wrote:
>> "Petr Vileta" writes:
>>
>>> Peter J. Holzer wrote:
>>>> On 2007-09-03 03:48, Petr Vileta wrote:
>>>>> Because I do not use Apache authentication but by parameters on GET
>>>>> method only. If all parameters are passed right then script return
>>>>> XML file, in other case must return http 401 error.
>>>>
>>>> In this case 401 is probably wrong. 401 is intended to be used with
>>>> the WWW-Authenticate and Authorization headers:
>>
>>> Yes, right. But what other http error you suggest?
>>
>> I think "403 Forbidden" would be appropriate. The W3C's description
>> of it says "authorization will not help", but that simply means that
>> the browser shouldn't bother prompting for standard HTTP auth info,
>> like it would for a 401 response.
>>
> I'm used to see this error when I can go to directory (mean URL) where
> nobody can to go. Maybe by some RFC this is right response but by human
> logic not :-)

Judging from the replies you are the only human in this group then.

> My script is in directory where users can to go but must pass
> a right parameters or call other scripts.

"Script" and "directory" are concepts which have little meaning in HTTP.
You send a request and you get a reply. Whether there are such things as
scripts or files or directories or whatever on the server is in general
unknowable to the client and mostly irrelevant (the characters '/' and
'?' do have some meaning in the interpretation of relative URLs,
though).

> For example
> http://www.domain.com/test/ is allowed and return some html code and status
> 200
> http://www.domain.com/test/mytest.cgi is the same, but return xml code
> http://www.domain.com/test/othertest.cgi?user=John&pwd=mypwd is good script
> calling with right parameters and return status 200 and html code
> http://www.domain.com/test/othertest.cgi?user=Joe&pwd=mypwd

http://www.domain.com/test/othertest.cgi?user=Joe&pwd=mypwd is a
different URL than
http://www.domain.com/test/othertest.cgi?user=John&pwd=mypwd . It is
possible to argue that
http://www.domain.com/test/othertest.cgi?user=Joe&pwd=mypwd doesn't exist
(404 error), or that you aren't allowed to access
http://www.domain.com/test/othertest.cgi?user=Joe&pwd=mypwd (403 error).
But a 401 error makes no sense: No authentication will make the URL
http://www.domain.com/test/othertest.cgi?user=Joe&pwd=mypwd accessible.
You *must* change the URL to either
http://www.domain.com/test/othertest.cgi?user=John&pwd=mypwd or
http://www.domain.com/test/othertest.cgi?user=Joe&pwd=otherp wd.

hp


--
_ | Peter J. Holzer | I know I'd be respectful of a pirate
|_|_) | Sysadmin WSR | with an emu on his shoulder.
| | | hjp@hjp.at |
__/ | http://www.hjp.at/ | -- Sam in "Freefall"