1 files changed, 39 insertions, 0 deletions

diff --git a/hw4/cgi-bin/login.py b/hw4/cgi-bin/login.py
new file mode 100755
index 0000000..a308dde
--- /dev/null
+++ b/hw4/cgi-bin/login.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python2.7
+import Cookie, os, time
+import re
+import uuid
+import cgi
+import cgitb
+import random
+
+from output import *
+
+cgitb.enable()		## allows for debugging errors from the cgi scripts in the browser
+
+cookie = Cookie.SimpleCookie() # for writing cookies
+cookie_string = os.environ.get('HTTP_COOKIE') # for reading cookies
+form = cgi.FieldStorage() # for reading GET data
+
+login = form.getvalue('username')
+password  = form.getvalue('password')
+with open('users', 'r') as users:
+    s = users.read()
+    if s.find(login + ' ' + password) == -1:
+        ShowError()
+
+    # else set session id cookie and store it in the file!
+    s_id = uuid.uuid4().hex
+    cookie['session_id'] = s_id # login
+
+    # xss protection -- set session_id cookie to httpOnly
+    cookie['session_id']['httponly'] = '1'
+
+    with open("sessions", "a") as myfile:
+        # csrf protection -- session token construction
+        random.seed()
+        csrfToken = str(random.random())
+        myfile.write(s_id + ' ' + login + ' ' + csrfToken + '\n')
+
+    print cookie
+
+RedirectToBoard()