Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

Best practices for secure persistent login?

by Xenofur (Monk)
on May 27, 2009 at 17:46 UTC ( #766482=perlquestion: print w/replies, xml ) Need Help??

Xenofur has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I am currently working on a website which currently uses the "let's use time() as the session cookie and not check anything else" approach to user authentication.

As I've never written a login system before I could try and roll my own and stumble into many traps on the way. Thus I'd like to ask if you can suggest to me a method that uses existing CPAN modules and also general guidelines for how to apply it given a standard structure of mysql db with accounts having id, username, email and password.

Currently I'm planning to replace the timestamp with a Data::GUID as well as add in an MD5 hash of the username, password and the first two tuplets of the user ip. Both of these would be stored in a simple table, checked on every user action.
  • Comment on Best practices for secure persistent login?

Replies are listed 'Best First'.
Re: Best practices for secure persistent login?
by perrin (Chancellor) on May 27, 2009 at 17:53 UTC
    The common practice is to use a unique ID and use an SHA1 digest with a secret salt to prevent tampering with the ID. No need to build your own when CGI::Session is already there.
      Thanks for pointing me at that, I'd completely forgotten about it. :)

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://766482]
Approved by zwon
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (3)
As of 2020-09-20 02:23 GMT
Find Nodes?
    Voting Booth?
    If at first I donít succeed, I Ö

    Results (117 votes). Check out past polls.