Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Re: Re: Is this a secure way to handle login?

by moodster (Hermit)
on Mar 27, 2002 at 12:49 UTC ( [id://154648]=note: print w/replies, xml ) Need Help??


in reply to Re: Is this a secure way to handle login?
in thread Is this a secure way to handle login?

The solution proposed in the original post looks like regular session management to me, and you could probably implement it without running into any problems. I don't know why you need to log the IP, though.

However, I second davis suggestion that you should go with a prebuilt module. Apache::Session totally rocks, and will let you store not only usernames and passwords, but any Storable object in you session variables. You have the choice of storing data in regular files, DB_File or several different databases, and the best part is that you don't need Apache; it will happily run under most web servers.

Also, you don't have to bother with generating random numbers for session ID's, as Apache::Session will do all this for you.

Cheers,
--Moodster

  • Comment on Re: Re: Is this a secure way to handle login?

Replies are listed 'Best First'.
Re: Re: Re: Is this a secure way to handle login?
by perrin (Chancellor) on Mar 27, 2002 at 14:52 UTC
    The numbers generated by Apache::Session are not random enough to be considered truly secure. If you really don't want people to forge session IDs you should use some kind of hashing scheme to generate a digest that you send out with your session ID. Then you can use that to verify that the ID has not been tampered with. This technique has been described in other threads here about session handling.
[reply]
Re: Re: Re: Is this a secure way to handle login?
by aersoy (Scribe) on Mar 27, 2002 at 23:07 UTC

    Hello.

    The method described here is not the same as regular session management. In the regular session management, the session id stays still during the session. Here, it is supposed to change on every page load.

    Update: It seems I'm the one who misunderstood the method. However, I think my method (creating a new ID on every page load) would be a bit more secure.

    --
    Alper Ersoy

[reply]
      The method I discribed does keep the session ID constant during the session. The random number is created at login and does not change until the user logs in again.
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://154648]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others about the Monastery: (7)
As of 2024-04-18 12:32 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found