summaryrefslogtreecommitdiff
path: root/hw4/cgi-bin/login.py
blob: a308dde3357fa2ae2103391a92a62b1a989a0db5 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/usr/bin/env python2.7
import Cookie, os, time
import re
import uuid
import cgi
import cgitb
import random

from output import *

cgitb.enable()		## allows for debugging errors from the cgi scripts in the browser

cookie = Cookie.SimpleCookie() # for writing cookies
cookie_string = os.environ.get('HTTP_COOKIE') # for reading cookies
form = cgi.FieldStorage() # for reading GET data

login = form.getvalue('username')
password  = form.getvalue('password')
with open('users', 'r') as users:
    s = users.read()
    if s.find(login + ' ' + password) == -1:
        ShowError()

    # else set session id cookie and store it in the file!
    s_id = uuid.uuid4().hex
    cookie['session_id'] = s_id # login

    # xss protection -- set session_id cookie to httpOnly
    cookie['session_id']['httponly'] = '1'

    with open("sessions", "a") as myfile:
        # csrf protection -- session token construction
        random.seed()
        csrfToken = str(random.random())
        myfile.write(s_id + ' ' + login + ' ' + csrfToken + '\n')

    print cookie

RedirectToBoard()