[Nomads-pm] Safety of storing pricing information in a CGI::Session

Fri Feb 4 12:22:14 PST 2005

Hi Michael,

The security issue depends on how CGI::Session happens to be storing
sessions for your install. It might be using a database or a file, and
I've even seen a very silly person tweak it so it used cookies.
Basically, the safest thing to do is be suspicious of anything that
comes from outside your program.

On the other hand, why do you want to store the total price in the
first place? If it's because of performance concerns, then remember
that the CPU cost of IO is generally higher than the cost of
calculation for simple calculations such as price totals.

Kind Regards,

Brian Wisti
http://coolnamehere.com/

P.S. Oh, and "Hi everyone from a new member based in Seattle,
Washington, US" :-)

--- Michael Kraus <mkraus at wildtechnology.net> wrote:

> G'day all...
> 
> I'm currently using CGI::Session as part of an online ordering
> system.
> 
> I've been passing database primary keys back and forth between the
> client and server, with all values double checked upon being received
> at
> the server.
> 
> The only problem is that I need to present the total price to the
> client
> at more than one point of operation, and I have been recalculating
> the
> price each time.
> 
> How safe is it to store the pricing information on the session object
> itself - are their any security flaws or issues of which I should be
> aware? (I'm figuring it's pretty safe - but I'd rather be
> ultra-sure.)
> 
> I guess, what I'm really asking is if there any methods of security
> violations associated with CGI::Session that I should be aware of...?
> 
> Thanks heaps!
> 
> Regards,
>  
> 
> Michael S. E. Kraus
> B. Info. Tech. (CQU), Dip. Business (Computing)
> Software Developer - Wild Technology Pty Ltd
> 
> 
>
--------------------------------------------------------------------------------
> 
> Wild Technology Pty Ltd , ABN 98 091 470 692
> Sales - Ground Floor, 265/8 Lachlan Street, Waterloo NSW 2017
> Admin - Level 4 Tiara, 306/9 Crystal Street, Waterloo NSW 2017
> Telephone 1300-13-9453 |  Facsimile 1300-88-9453
> http://www.wildtechnology.net
> DISCLAIMER & CONFIDENTIALITY NOTICE:  The information contained in
> this email message and any attachments may be confidential
> information and may also be the subject of client legal - legal
> professional privilege. If you are not the intended recipient, any
> use, interference with, disclosure or copying of this material is
> unauthorised and prohibited.   This email and any attachments are
> also subject to copyright.  No part of them may be reproduced,
> adapted or transmitted without the written permission of the
> copyright owner.  If you have received this email in error, please
> immediately advise the sender by return email and delete the message
> from your system.
> 
> 
> _______________________________________________
> Nomads-pm mailing list
> Nomads-pm at pm.org
> http://mail.pm.org/mailman/listinfo/nomads-pm
> 