Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Security/Ease of use Question

by Spidy (Chaplain)
on Sep 07, 2004 at 23:09 UTC ( [id://389233]=perlquestion: print w/replies, xml ) Need Help??

Spidy has asked for the wisdom of the Perl Monks concerning the following question:

Hello,
I've recently been reading up on Perl and CGI in a couple books, and found that there are two different ways for me to store my information: I can use cookies, or I can use hidden fields in forms. There are obvious benefits to both, but I'm wondering, in a fellow Monk's opinion, what would be the easiest/most secure way?

And also, can I have a useless form to just store my hidden values?

Thanks,
Spidy

Replies are listed 'Best First'.
Re: Security/Ease of use Question
by tachyon (Chancellor) on Sep 07, 2004 at 23:28 UTC

    Use a session_id. See CGI::Session. There is lots of stuff here on sessioning. In essence store the session ID in a cookie or hidden field as you choose. Cookies are easiest but may not be active. A hidden field is a little more effort (not much with templates). With a session_id all the *real* data is stored on your server, well out of reach of naughty untrustworthy users.

    cheers

    tachyon

      If you want cookie-like behavior, but don't want to use cookies for it, use pathinfo. This is a perfectly legal URL:
      http://your.site.com/cgi-bin/your.cgi/your/pathinfo/here/
      The stuff following your.cgi ends up in $ENV{PATH_INFO}, where you can pick it up and use it.

      Advantage: doesn't requre cookie support; nice and easy to hang a session ID off there. Disadvantage: it's in the URL, so it's visible and can be messed with.

Re: Security/Ease of use Question
by davido (Cardinal) on Sep 08, 2004 at 00:01 UTC

    There are a lot more than two ways to store your information (I assume you mean session data). One good way is to use the cookie or hidden field to simply hold onto a session key -- sometimes MD5 encrypted. That key would crossreference a row in a database such as MySQL, in which you keep the session info.

    This approach is desirable because it keeps all the information on the server side, instead of trusting the client's browser to pass it back and forth in cookies or hidden fields. Remember that cookies and hidden fields can be manipulated by ill-behaved (or custom) browsers. By keeping the data server-side, and associating it with an MD5 generated session key, you improve security somewhat.

    A lot of the legwork is done for you by CGI::Session, and CGI::Session::MySQL. For ID Generators, see CGI::Session::ID::MD5.


    Dave

Re: Security/Ease of use Question
by Your Mother (Archbishop) on Sep 08, 2004 at 00:41 UTC
    And also, can I have a useless form to just store my hidden values?

    No, if I understand you. I think you mean having more than one form in page, yeah? <form>whateveriam...</form> stuff <form>hiddenstuff</form> It won't work (assuming browser compliance). Only the params from the individual form that was submitted will be passed on.

    Re: CGI::Session, anyone; for my own edification, I've been using Apache::Session with either the file or the mysql drivers with no trouble (well, some locking trouble with mysql but I figured out how to fix it). Is there a reason to prefer one over the other? I think the psychology of the namespace led me to think the Apache:: one would be faster, more stable. I have no empirical evidence either way and would love to hear stories.

    Update: forgot to mention that you can do it both ways for users who don't care to use cookies. The very noticeable example of this is Amazon.com where the session id is embedded in all the URIs per page load in case you're a'scared a'cookies.

      No, I meant like, a form on a page that is entirely my hidden information, on a page where there are no other forms.
        Yes, you can certainly have that. However, if you want to be able to pass that data along to the next page you will have to use a Javascript href in order to do it. For example, <a href="javascript:document.formName.submit()">click here</a>. Furthermore, if you want to be able to link to different pages all by submitting the same form, then you will have to use Javascript to modify the 'action' attribute of the form, which can get ugly.
Re: Security/Ease of use Question
by swaroop.m (Monk) on Sep 08, 2004 at 05:19 UTC
    Using Session variable is the best way
    Cookies may be disabled on users browser.
    also Hidden fields are not a great way of transferring data as the data cannot be hidden unless encrypted.
Re: Security/Ease of use Question
by Spidy (Chaplain) on Sep 08, 2004 at 00:32 UTC
    But out of the two I mentioned, which would work the best in terms of general ease AND protection of info? I don't really want to mess around with Session until I understand it, and this project is getting a bit pressing...
      Neither are secure, and both have other issues too (for instance, a browser is only required to remember 300 bytes of cookie data per site IIRC)

      I think hidden fields are easier to understand and debug, and I can't see if you really need the security. Still, I'd go for CGI::Session. It takes a little time to figure sessions out, but once you do, you really don't want do without them.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://389233]
Approved by ikegami
Front-paged by grinder
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chilling in the Monastery: (5)
As of 2024-03-29 02:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found