Best practices for secure persistent login?


laziness, impatience, and hubris
	PerlMonks

Best practices for secure persistent login?

by Xenofur (Monk)

on May 27, 2009 at 17:46 UTC ( #766482=perlquestion: print w/replies, xml )

Need Help??

Xenofur has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I am currently working on a website which currently uses the "let's use time() as the session cookie and not check anything else" approach to user authentication.

As I've never written a login system before I could try and roll my own and stumble into many traps on the way. Thus I'd like to ask if you can suggest to me a method that uses existing CPAN modules and also general guidelines for how to apply it given a standard structure of mysql db with accounts having id, username, email and password.

Currently I'm planning to replace the timestamp with a Data::GUID as well as add in an MD5 hash of the username, password and the first two tuplets of the user ip. Both of these would be stored in a simple table, checked on every user action.

Comment on Best practices for secure persistent login?

Replies are listed 'Best First'.
Re: Best practices for secure persistent login? by perrin (Chancellor) on May 27, 2009 at 17:53 UTC
The common practice is to use a unique ID and use an SHA1 digest with a secret salt to prevent tampering with the ID. No need to build your own when CGI::Session is already there.	[reply]
Re^2: Best practices for secure persistent login? by Xenofur (Monk) on May 27, 2009 at 22:01 UTC
Thanks for pointing me at that, I'd completely forgotten about it. :)	[reply]

Back to Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: perlquestion [id://766482]
Approved by zwon
help

Chatterbox^?

How do I use this? | Other CB clients

Other Users^?

Others surveying the Monastery: (6)

As of 2023-09-24 08:27 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Voting Booth^?

No recent polls found

Notices^?