Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

RE: RE: Re: Passing CGI parameters on new CGI

by perlcgi (Hermit)
on May 23, 2000 at 19:19 UTC ( [id://14374]=note: print w/replies, xml ) Need Help??


in reply to (jcwren) RE: Re: Passing CGI parameters on new CGI
in thread Passing CGI parameters on new CGI

I think you might have a point about the hidden variables encouraging hackers. I suspect the word "hidden" triggers the curious.
Of course you can always check the referrer, but I accept that is not foolproof.
The hidden session id is a neat idea. Sure, it does'nt stop the occasional attempt to snarf someone else's id, but the amount of effort required outweights the simple pleasure of a vicarious hacking attempt, unlike just editing a url query-string, which can be done on the spur of the moment.
  • Comment on RE: RE: Re: Passing CGI parameters on new CGI

Replies are listed 'Best First'.
(jcwren) RE: (4): Passing CGI parameters on new CGI
by jcwren (Prior) on May 23, 2000 at 21:10 UTC
    It's true about attempting to snarf someone elses ID. There are a couple of packages out there generate pretty unique IDs. I use the current time in seconds plus the PID of the process of the perl instantiation when the user logged in.

    This is kept in a mySQL table, along with the last time the ID was seen (each time a user accesses a page). Each time the script is called it checks to see if any of the IDs in the table are older than 15 minutes, and if they are, they're deleted. This (obviously) prevents stale IDs from being targettable. It also gives me an accounting log of people who actually logoff the application, versus leaving an unsecured PC on the network. As a side effect, it pretty much makes sure that the correct user is logged in (as opposed to sharing PCs), since the system is accessed a number of times a day, but not typically within a 15 minute user by two different users on the same PC (this is just an artifact of the local environment, and would not hold true for higher volume sights).

    The system is vulnerable to packet sniffing on the local network, but truth be told, virtually no one around here is that proficient. Also, since we run on switches & routers, few people in the company can see other peoples traffic.

    All in all, for my environment, it's pretty secure.
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://14374]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chanting in the Monastery: (4)
As of 2024-04-25 21:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found