SPUG: Login Page and Cookies
Ben Reser
ben at reser.org
Fri Oct 24 03:42:02 CDT 2003
On Fri, Oct 24, 2003 at 12:26:40AM -0700, Sam Carpenter wrote:
> I am just getting started with Perl (switching from Java and .NET) and
> I have a project where I want to create a login page instead of using
> .htaccess. I have the book, "Writing CGI Applications with Perl" by
> Kevin Meltzer and Brent Michalski. The authors have an example
> application (chapter 14) where they create a login page and use the CGI
> module to set and verify cookies to verify whether a user is logged in
> or not. Is this an acceptable way to manage user logins?
Yes. I just recently implemented something like this. I set a cookie
with the following information:
userid
time issued
time cookie expires (this is in the data section, you can't rely on the
browser expiring the cookie for security reasons)
mask which specifies what permissions are given to the user
md5 hash of the above data and a secret that is only held on the server.
Once that cookie is set you can verify their access by looking for the
cookie, taking the data and the secret and regenerating the hash. If
the hash you generated and the hash in the cookie match you can trust
the access the cookies says it has.
You could also throw in an ip address mask of some sort on there to
help limit replaying someone elses credentials.
If you need further information just ask. It's late so I'm probably not
making as much sense as I should nor am I providing code examples...
> For clarification, I am just writing a simple quoting application for a
> customer with less than 10 users. Therefore the security doesn't need
> to be bullet-proof but it should be somewhat trustworthy. I am not
> going with .htaccess for aesthetic reasons and a custom login page
> gives me easy access to the user id (assuming that getting through
> .htaccess would be difficult?).
Actually it's easier. It's provided to you in the REMOTE_USER
environment variable by the webserver.
--
Ben Reser <ben at reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
More information about the spug-list
mailing list