[cgiapp] Re: [htmltmpl] Perl CGI authentication and session management

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cgiapp] Re: [htmltmpl] Perl CGI authentication and session management

Subject: [cgiapp] Re: [htmltmpl] Perl CGI authentication and session management
Date: Wed, 15 Oct 2003 00:49:23 -0700
From: "David Christensen" <suppressed>

suppressed:

Bär, Sebastian wrote:
> Most session tracking software use the same approach:

Thanks for the reply.  :-)


> 1.) Establish an SSL connection
> 2.) Require the user to indentify himself (username and password)
> 3.) Check against some kind of user database
> 4.) Create a unique session ID number which can not easily guessed
>     by others
> 5.) Store the ID on the users machine (cookie) or send it as part
>     of the HTTP request ("foo.bar.org/myscript?SID=a3cc69...")

As I thought.


Question: are the HTTP requests (with CGI fields and values, including
session_id) encrypted when using https?


> The biggest security issue is the session ID itself. If you write
> your application carefully no other session data will ever leave
> your server.

I should be able to do that.


> Cookies are a bit more insecure because they are stored on the
> client machine in uncrypted format.

Okay.


> If someone gets a copy of the ID (and the session has not exipred
> yet) then he or she might be able to intercept the connection.
> Most session mechanisms use some kind of IP address matching to
> ensure each session ID is used from only one machine but this
> has to be considered as a weak obstacle for crackers since IP
> addresses may be spoofed easily.
> Of course this is mainly a client side issue but one your users
> should be aware of. If you choose the cookie approach then make
> sure the cookie expires when the browser is closed.

I suspected as much.  The only solution I could think of was digital
signatures on both the client and the server.


> I use CGI:Session in combination with HTML::Template and they
> cooperate well.  Nicest feature is that you can redisplay pages filled
> with session data with a few lines of code (e.g. if you want a user to
> correct input made earlier in the session).

Good.  I've been able to get CGI::Application, HTML::Template, and
CGI::FormBuilder working together, but it took careful reading of the
documents, a fair amount of thinking, and a bit of experimentation.
Thankfully, the various module authors anticipated the other modules and
provided hooks.  It has been satisfying to see OO code reuse actually
work in a real-world application!


David


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

Follow-Ups:
- Re: [cgiapp] Perl CGI authentication and session management
  - From: Thilo Planz

Prev by Date: [cgiapp] Perl CGI authentication and session management
Next by Date: Re: [cgiapp] Perl CGI authentication and session management
Previous by thread: [cgiapp] Perl CGI authentication and session management
Next by thread: Re: [cgiapp] Perl CGI authentication and session management
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.