While implementing a generic POP3/SMTP Web-Interface (see a German language version at http://webmail.zf2.de) I thought about storing sensible user data (like passwords) over the session. After dropping my first idea to store that data on the server (which is possible but unwanted by our customers), I decided to store those passwords in the Cookie.
As it may be possible (in this case even most probably) that a user will use that interface from a foreign computer (maybe in an internet cafe) I needed to ensure that nobody else could read this information (from the cookie).
The final approach is:
- Encrypt the password with any Crypt::CBC enabled encryption scheme.
- Store the encrypted password in the Cookie together with a session id and other values (POP3 server et. al.)
- Store the encryption key together with the session id on the server.
- In short: the user get the cipher, we get the key.
I think this procedure is fine to ensure client security and some server security by not storing the password server-side. I know that the script itself knows the password, but I don't consider this too risky.
I would like to have some comments on this approach. Did I miss something? Did I oversize the problem? Please give me some feedback
alex pleiner <alex@zeitform.de>
zeitform Internet Dienste
use Crypt::CBC;
use CGI;
my $q = new CGI;
my $encryption_method = "Blowfish";
# get cookie
my ($login, $password, $pophost, $smtphost, $session) = getcookie();
## do something here such as fill template et. al.
# set cookie
my $cookie = setcookie($login, $password, $pophost, $smtphost, $sessio
+n);
print $q->header(-cookie=>$cookie, -expires => "now");
print $template->output;
############################################
sub setcookie {
############################################
my $login = shift;
my $password = shift;
my $pophost = shift;
my $smtphost = shift;
my $session = shift;
my $key = $ENV{UNIQUE_ID};
my $ciphertext;
my $cipher = new Crypt::CBC($key, $encryption_method);
$ciphertext = $cipher->encrypt($password);
open ID, ">$Conf::tmp_dir/$session" or print_error("write_error");
print ID $key;
close ID;
my $cookie = $q->cookie(
-name => "zf_webmail",
-value => {
pop3 => $pophost,
smtp => $smtphost,
login => $login,
password => $ciphertext,
id => $session,
},
-expires => '+10m');
return $cookie;
}
###########################################
sub getcookie {
###########################################
my %cookies = $q->cookie(-name => "zf_webmail");
my $login = $cookies{login};
unless ($login) { # no cookie -> no session
# print error
} else {
my $ciphertext = $cookies{password} or print_error("no_cook_passwo
+rd");
my $pophost = $cookies{pop3} or print_error("no_cook_pop3")
+;
my $smtphost = $cookies{smtp} or print_error("no_cook_smtp")
+;
my $session = $cookies{id} or print_error("no_cook_sessio
+n");
my $password;
open ID, "$Conf::tmp_dir/$session" or print_error("read_error");
my $key = <ID>;
close ID;
my $cipher = new Crypt::CBC($key, $encryption_method);
$password = $cipher->decrypt($ciphertext);
return ($login, $password, $pophost, $smtphost, $session);
}
}
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
