Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Re: Two-Way Password Encryption

by Abigail-II (Bishop)
on May 07, 2003 at 14:58 UTC ( [id://256226]=note: print w/replies, xml ) Need Help??


in reply to Two-Way Password Encryption

Note that if you store something in a cookie, and all that's required for authentication is to echo back what's in the cookie, it hardly matters whether you store an encrypted password, or a random number. You will be vunerable against session hijacking. Someone able to snoop the connection between the client and the server can intercept the cookie, and hence pretent to be the person that is logged in.

You might want to consider using an encrypted channel instead.

Abigail

Replies are listed 'Best First'.
Re: Re: Two-Way Password Encryption
by petesmiley (Friar) on May 07, 2003 at 15:23 UTC
    To simplify this response...++ by the way :) authenticating by any method over SSL is preferrable.

    Speaking of which does anyone know where I can get a good tool for making my own certificates. I work on mostly internal stuff, so I don't have much use for buying one from a certificate authority. The one that comes with mod_ssl is kind of clunky if you ask me.

    smiles

      Give openSSL a try for self-signed certificates. It works on many platforms and has all the features you might need for this task (and then some...)

      Best regards

      -lem, but some call me fokat

      At the apache-ssl website, they have these instructions on how to create a test certificate. I did it today as a matter of fact.
      Here's the dirt just in case you don't want to follow the link:
      how do I create a test certificate?
      
      Step one - create the key and request:
      
        openssl req -new > new.cert.csr
      
      Step two - remove the passphrase from the key (optional):
      
        openssl rsa -in privkey.pem -out new.cert.key
      
      Step three - convert request into signed cert:
      
         openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
      
      

      Replace the word new-cert with a variable, and you could easily turn this into a quite simple script to spit out certificates as fast as the script will run.

      This is obviously just a way to create certificates, making your web server of choice use them, is another animal.


      Very funny Scotty... Now PLEASE beam down my PANTS!

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://256226]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having a coffee break in the Monastery: (8)
As of 2024-03-28 09:13 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found