Contributed by rodry on Sep 02, 2000 at 00:36 UTC
Q&A  > CGI programming


I have a private area in a website that I protected using HTTP authentication. That is, I password-protected a directory and its files.

However, I did not realize that since the pages in that directory call scripts from /cgi-bin (which anyone can access), that those pages are not really that secure.

Which raises the question, for which situations are cookies a better choice than HTTP authentication and viceversa.

Thanks in advance.

Answer: Security: Cookies vs HTTP authentication
contributed by vaevictus

cookies and HTTP authentication are not really very secure either of them... you can always hack around their code... and it's sniffable.

HTTPS is much better...

To elaborate more, cookies are not any form of authentication, inherently, because they're just client stored variables. Anyone can have them, edit them and change them. You could encode some sort of key and try try to keep track of the users' sessions or just the users themselves. You are still going to have to do some sort of login technique. If I'm not mistaken, HTTP authentication sets cookies anyway.

If you're worried about "security" you'll need to subdivide "security" by what you're worried about. If you need to be sure that a user says he's who he is, you'll need to use some sort of cryptography and authentication technique. If you're going to have content that 3rd parties cannot see, you'll have to invest some time and/or money or both into HTTPS. If you're worried about someone rooting your box, you'll have to be very careful with your scripts, global variables, and even your webserver setup and version.

Security is not a goal, it is a way of Life.

Answer: Security: Cookies vs HTTP authentication
contributed by Fastolfe

If you're already authenticating with HTTP authentication, I would stick with that rather than writing a bunch of state management stuff with cookies. This is all handled by the web server with HTTP auth, so I would see about protecting a subdirectory under /cgi-bin/ or reconfigure the server so that you can run your protected CGI scripts under the directory that you already have protected. I have never understood why sites insist on using all sorts of complex state management code and cookies with "authenticated" sessions when HTTP authentication will do all of this for them, giving the CGI script a nice friendly environment variable with the username. Plus you don't have to worry about invalidating URL's or having obfuscated keys showing up in access/referer logs for your server or sites you link to. It's all just a big headache, and unless you find a quality pre-written installation, it's not worth it. Stick with some form of HTTP authentication and you'll have much less headache. Of course, either mechanism, as another poster mentioned, is susceptible to monitoring by a 3rd party, which is why you'd want to use SSL if you're concerned about this. Unless you're trafficking sensitive data, I wouldn't worry.

Answer: Security: Cookies vs HTTP authentication
contributed by rodry

How about sites that don't use HTTPS and still have some sensitive information that they secure by means of cookies.

Take for example You store sensitive information about yourself and the poeple in your group. Not to mention pictures, resumes, etc. Yet I don't remember having to go thru a HTTPS secured page to login or authenticate.

That kind of security is enough for me. What do you think.

Please (register and) log in if you wish to add an answer

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.