Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: MySQL, PERL and web authentication

by wardk (Deacon)
on Jan 10, 2001 at 19:42 UTC ( [id://50927]=note: print w/replies, xml ) Need Help??


in reply to MySQL, PERL and web authentication

While I haven't used this method with MySQL, I have used (and seen others use) the following method for authentication using an RDBMS.

Capture the users password, and use Perl's crypt to encrypt it ( I've see the salt stored in the database as well as the salt derived from a standard repeatable function). Store the encrypted password. At login, take the users password as entered and encrypt using the same method. Then compare the two encrypted strings. If they match, let them in. Once nice thing about this method, is that crypt is part of Perl, thus can be portable across platforms.

I am interested in other methods of doing this, or of any stories from others where this sort of method was insufficient. One scenario I am currently dealing with is an application that uses a set of login tables that have Perl crypted passwords. the app is a Cold Fusion app on NT. They cannot grok the passwords...so we had to provide a workaround (that's a story for some other node)

Disclaimer: The above method I mention has only been utilized in either an inside-the-firewall or https connections. If not using encrypted tranmissions or safe behind a firewall, your passwords will be sent in the clear...thus sniffable by the bad guys.

Replies are listed 'Best First'.
Re: Re: MySQL, PERL and web authentication
by extremely (Priest) on Jan 10, 2001 at 21:25 UTC
    Rather than use crypt(), I'd recommend thinking about MD5 style hashing for the password encryption. I ++ed this post because of the 'HTTPS' recommendation. In-the-clear passwords protect nothing from the dishonest, they just keep honest people honest.

    --
    $you = new YOU;
    honk() if $you->love(perl)

      I'll have to take a look at MD5 style hashing, thanks for the alternative.

      on the issue of clear transmissions... Due to issues that can only happen in large organizations, we are fighting a move to remove SSL from our single-login system to a straight http configuration... the reason? Users are getting fed up with accepting certificates, and being warned of a redirect (netscape is the standard and this dialog cannot be "turned off") and complaining loudly. I wish I could say I was making this up for a Dilbert/UserFriendly strip, but I am not...they want to remove the security from the security system.

      Next they'll remove the door security because people are growing tired of having to swipe their badges through...arghhhh

      If someone wants to write a Perl module that thwarts stupidity, I'll beta test!

        My organization is in the process of implementing single sign-on for web based applications using an authentication server with cookies. We haven't yet run into these problems.

        Are your certificates issued by a well know CA, such as Verisign? Which versions of Netscape encounter the redirect warning?

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://50927]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others romping around the Monastery: (4)
As of 2024-03-29 11:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found