Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??

I think a good, relatively easy, security model to implement is this:

  • Store user and password info in a database. Be sure to encrypt the password. If you're using mySQL, the password() function can do this for you.
  • Have the user login. Check the password against the info in the database.
  • Assuming login success, set a md5 encrypted cookie and store the cookie in a "valid users" table server-side. Use some kind of random, hard-to-guess info in the md5 cookie, like localtime() plus a random number and some random text. One other thing is to not set an expiration time on the cookie, so that it expires when the user closes the browser session. This will require a login each time someone wants to access an admin feature.
  • Because you have the cookie stored in a database, you can use this to authenticate across multiple scripts. You should also clear the stored cookies out of the database every day or so.
  • The biggest hole here is probably sending password/user info plain text via the WWW. Use SSL for the login page.
  • You can also have admin functions built into the same scripts used by non-admin folks, by denying functions to folks without a valid cookie in your database. This is a big strength of this system, your security isn't an "all or nothing" proposition.
  • There's a bunch of assumptions I'm making here- that you're using strict, untainting data properly, and have read all the great links the other monks have provided in this thread. This is the "devil in the details."

Make sure to take the time to learn CGI.pm for handling your cookies and other functions, you'll be glad you did.

While this system isn't perfect, it should work for a moderately secure app. I wouldn't trust it with anything that handles credit cards or the like, but it should work well for anything below that.


In reply to Re: Security by Hero Zzyzzx
in thread Security by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others imbibing at the Monastery: (7)
As of 2024-03-28 15:47 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found