It's true about attempting to snarf someone elses ID. There are a couple of packages out there generate pretty unique IDs. I use the current time in seconds plus the PID of the process of the perl instantiation when the user logged in.
This is kept in a mySQL table, along with the last time the ID was seen (each time a user accesses a page). Each time the script is called it checks to see if any of the IDs in the table are older than 15 minutes, and if they are, they're deleted. This (obviously) prevents stale IDs from being targettable. It also gives me an accounting log of people who actually logoff the application, versus leaving an unsecured PC on the network. As a side effect, it pretty much makes sure that the correct user is logged in (as opposed to sharing PCs), since the system is accessed a number of times a day, but not typically within a 15 minute user by two different users on the same PC (this is just an artifact of the local environment, and would not hold true for higher volume sights).
The system is vulnerable to packet sniffing on the local network, but truth be told, virtually no one around here is that proficient. Also, since we run on switches & routers, few people in the company can see other peoples traffic.
All in all, for my environment, it's pretty secure. | [reply] |