More and more RPG developers use web pages instead of the ancient 5250 green screens to interface with their users. One of the first challenges you face when creating a web interface is how to control access to sensitive data.

Perhaps the easiest way is to let the HTTP server provide a login prompt using what it calls "basic authentication." Unfortunately, this type of authentication is far from perfect. The server asks the browser for a user name and password on every individual HTTP request. To avoid annoying the the user, the browser only asks the user for this information once, and then automatically sends it on to the server with each request.

This causes two security challenges:

• The user ID and password is re-sent over the network repeatedly, increasing its potential exposure to hackers.
  
• There's no mechanism for logging out because the server doesn't know that the browser is caching the password.
  

We've all been to web sites that have both login and logout buttons (SystemiNetwork.com is an example). How do they do that? Instead of relying on the server's "basic authentication," they actually write code in their application to handle logins and logouts.

When a user logs in and their password has been validated, a cookie is set in their browser with a "session number." Each time they return to the web site, the session number is sent and used to look up the user name and password.

Recently, Giovanni Perotti wrote a free open-source utility to make it easy to do this type of login and logout with CGIDEV2. He has posted this utility on Easy400.net.

You can read more about Giovanni's login and logout tool at the following link:
http://www.easy400.net/loginout/tutorial/intro.htm