SPUG: Login Page and Cookies
Aaron Salo
aaron at activox.com
Fri Oct 24 11:26:36 CDT 2003
At 02:11 AM 10/24/2003 -0700, Sam Carpenter wrote:
>Ben, you make perfect sense - I really appreciate your help! I just
>need to figure out how to generate the md5 hash and I will be all set
>(something I am sure I can find on perldoc or CPAN).
If you're running on apache, and mod_unique_id is turned on, you should be
able to take advantage of that.
my $lstring = $ENV{'UNIQUE_ID'};
will give you a unique id you can use as a session tracker or etc. If not,
scroll down to the end of this note for a quickie package to make a
somewhat unique MD5 hashed string.
While on topic, one thing about cookies is that some people wanna pop a
half dozen separate ones to track six values. Using CGI.pm this is not
necessary cause you can put multiple name/val pairs into a hash and just
throw the hash into a single cookie. Here is a code snip that illustrates
how to do that
Note: cookies are inherently Not Secure. People can easily manip them. So
with only a little extra work, you can make them pretty secure. After I
auth a user, I stuff the UNIQUE_ID into the table along with their other
info. Then on all subsequent page calls, I check the value in the cookie
against the value in the db. This prevents someone from manually hacking
the cuid in their cookie and trying to get access to a different user's
account. If they change the cuid in their cookie, their hash string won't
match the hash string for the uid they're trying to hijack, and they get
booted out of the system on the next page call. Bam.
The snip below presumes you have already auth'd the user and fetched their
variables out of the appropriate db table and have those variables exposed
(like $fname, $lname, etc...).
================
PUTTING STUFF IN using cookie leverage in CGI.pm
================
use CGI qw(:standard);
my %AuthCookie;
my $lstring = $ENV{'UNIQUE_ID'};
my $sth = $dbh->prepare($sql) or die "$DBI::errstr";
$sth->execute($ipaddr, $lstring, $cuid) or die "$DBI::errstr";
# cookie time - set it
$AuthCookie{'cuid'} = $cuid;
$AuthCookie{'lstring'} = $lstring;
$AuthCookie{'fname'} = $fname;
$AuthCookie{'lname'} = $lname;
$AuthCookie{'email'} = $email;
$AuthCookie{'ccid'} = $ccid;
# make a hash cookie. mmmmm. cookie.
my $cookie = cookie(
-name=> 'AuthToken',
-value=> \%AuthCookie,
-path=> '/',
);
# give them the cookie
print header(-"cookie"=>$cookie);
}
==========================
GETTING STUFF OUT using cookie leverage in CGI.pm
==========================
# once you've set the hash cookie above
# you can get the vals using keys, just like manip of a normal hash
# life is sooooooo damned good
my %authcookie = cookie('AuthToken');
my $Xcuid = $authcookie{'cuid'};
my $Xlstring = $authcookie{'lstring'};
my $Xfname = $authcookie{'fname'};
my $Xlname = $authcookie{'lname'};
my $Xemail = $authcookie{'email'};
my $Xccid = $authcookie{'ccid'};
==============================
ROLLING YOUR OWN UNIQUE KEY if mod_unique_id is not available
==============================
# here is a tiny module that throws the gimme_key function
# using MD5 - save the next few hunks as Enc.pm
===snip======
package Enc;
require Exporter;
@ISA = qw(Exporter);
@EXPORT = qw (gimme_key);
use MD5;
sub gimme_key {
my @rec = @_;
my $md5 = new MD5;
my $phrase = join('', @rec, time);
$md5->add($phrase);
my $id = $md5->hexdigest();
return $id;
}
1;
====snip=========
# now use this in your program by calling
use Enc;
# voila. here's how you get a unique keystring
# throw the function a value somewhat unique
# like the user's email address, their uid
# or whatever you have available
# you'll be cool as long as two people don't throw the same value
# in the same second which is pretty okay mostly. mostly.
# NOTE - if you don't throw a value here, and you ask for two keys in the
same second
# they will be identical - that would probably be bad.
my $key = gimme_key($userid, $useremail, $whatever_you_got,
$budget_deficit, $can_opener, $foo, $bar, $you_get_the_drift);
Hope this is useful
Aaron
More information about the spug-list
mailing list