We store user names, passwords and permissions in the passwd table. Passwords are one-way encrypted, so a hacker can't see all the passwords for everyone if there's a security breach.

The mkadmin function initializes our table, creating our first admin user. Therefore, first we must run mkadmin once from the command line (because no web user should be allowed to re-init the table!):

texis passwd/mkadmin.html

It creates the password table and the admin user, prompting us for a password to assign for the user. Now we can go to our browser and login as the admin user. Since admin has full privileges, it's best we now create some non-admin "ordinary" users via the Create nbsp;User link.

The core function is verifyuser . This is called at the top of every protected page in the application, via our look function. It checks the user and password against the table, and redirects to a login page if the user hasn't logged in or has a bad password. A session cookie is created with the user's data, so they only have to login once per session.

The login function prompts for the login, for non-logged in users. It submits to the protected application entry point, main in our patent script.

The okperm function checks a user's permission level, after we've verified their password with verifyuser . We can use this to deny non-admin users access to the admin pages, such as createuser and deluser : note the calls to <okperm> in those functions.