Skip to main content  
        iSeries home   |   Easy400     |   CGIDEV2  
Public Source
LogInOut approach
Defining users
Application development
Appendix A - Installation
Appendix B - LOGINOUT service program
Appendix C - HTTP-based login technique

CGI session log manager

Access to WEB sensitive applications is generally implemented through some login procedure. A login procedure requires user identification through

  • a user name and
  • a user password

An easy and inexpensive way to provide such login procedures is that of relying on the protection provided by the HTTP server. Through some Apache directives one may require that some/all static/dynamic pages of a web application can be accessed only after logging to the HTTP server. Validation of the login data can be implemented through system user profiles or a validation list (See Appendix C).

User profiles, while convenient for intranet applications accessed by a few people, are not appropriate when the number of users extends to dozens or hundreds of people:

  • user profiles are rather expensive in terms of system resources
  • there should be a different user profile for each different user (so that a CGI may establish who is who)
  • user profiles are doors to the whole system that one may not want to open to too many people for obvious security management implications

Validation lists are rather more recent objects (dated V4R2) expecially designed to support internet users. They look like small files, containing a some data (username, password, comment) for each internet user. Actually they are not files, they are more like user spaces. There are no system commands or utilities to browse, print them or to change their contents. The only access is through system API, which means that you must be a proficient iSeries programmer to create utilities to manage them. The only IBM software able to maintain validation list is the HTTP wizard, that is the *ADMIN HTTP server instance that you may start on port 2001.
Library LOGINOUT provides an utility to maintain validation lists. This utility is discussed in "Defining users".

The only problem, when using this type of protection based on user profiles or validation list, may be with the logout procedure.
As a matter of fact in this case there is no logout procedure. Once your access to a protected applications has been validated, this validation is granted for all the sessions of your browser. The only way to get rid of it (logout) is to close all the sessions of that browser.
This may rise a security issue. You are urgently called by your manager, no time to close all browser sessions, no immediate logout button, and ... your PC is left unattended while able to access one of the most sensible company applications.

Some application designers do therefore require a different approach to application protection. They require a logout button that would cut off any further possibility to access a protected application without logging in again. Read about this approach on the next page.

LogInOut is a public source utility authored by Giovanni B. Perotti, Italy.