Don't put the username/password combo in the cookie, encrypted or not. Instead, on the intial login, get their username/password and do the authentication. Once authenticated, put their username in a database paried with a unique session ID (I usually use Data::UUID for that) and send the session ID in the cookie. On subsequent entries, you check the session ID against your database. Keep another script in a crontab that deletes old session IDs from the database.

There are various authentication modules in the Apache:: namespace, but most of them only work if you're running mod_perl on Apache.

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

Note: All code is untested, unless otherwise stated

There are various authentication modules in the Apache:: namespace, but most of them only work if you're running mod_perl on Apache.

However, for the technique you are describing you can use Apache::Session, which is usable for CGI scripts.

Then you can use Data::UUID for creating the session id. Nice module by the way - hadn't heard of it till now - hardburn++

-- 
Joost       downtime n. The period during which a system
            is error-free and immune from user input.
[download]

You might want to consider using an encrypted channel instead.

Abigail

To simplify this response...++ by the way :) authenticating by any method over SSL is preferrable.

Speaking of which does anyone know where I can get a good tool for making my own certificates. I work on mostly internal stuff, so I don't have much use for buying one from a certificate authority. The one that comes with mod_ssl is kind of clunky if you ask me.

smiles

Give openSSL a try for self-signed certificates. It works on many platforms and has all the features you might need for this task (and then some...)

Best regards

-lem, but some call me fokat

At the apache-ssl website, they have these instructions on how to create a test certificate. I did it today as a matter of fact.
Here's the dirt just in case you don't want to follow the link:


how do I create a test certificate?

Step one - create the key and request:

  openssl req -new > new.cert.csr

Step two - remove the passphrase from the key (optional):

  openssl rsa -in privkey.pem -out new.cert.key

Step three - convert request into signed cert:

   openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365


Replace the word new-cert with a variable, and you could easily turn this into a quite simple script to spit out certificates as fast as the script will run.

This is obviously just a way to create certificates, making your web server of choice use them, is another animal.


Very funny Scotty... Now PLEASE beam down my PANTS!

• merlyn's article on cookies, sessions and the like;

• This thread might help. Webpage Logins

  and,

• a Super Search for 'session' or 'state' will show lots of threads on thie topic as well.

HTH

--
bowling trophy thieves, die!

use Crypt::CBC;

my $key = 'kjhAG43asoiudy3kjq43ajhali87LOljkYilKH84yiHLkjklasjsd98fu';

my $cipher = new Crypt::CBC($key,'Blowfish');
my $crypt = $cipher->encrypt($password);

$cgi = new CGI;

my $auth = "$user,$crypt";

$cookie = $cgi->cookie (
    -name    => 'hostauth',
    -value   => $auth
);

print $cgi->header (-type => 'text/html', -cookie => $cookie);
[download]

use Crypt::CBC;

my $key = 'kjhAG43asoiudy3kjq43ajhali87LOljkYilKH84yiHLkjklasjsd98fu';

my $cipher = new Crypt::CBC($key,'Blowfish');
my $auth = $cipher->decrypt($cookie);

# Send the $auth to the LDAP server...
[download]

      
--------------------------------
SV* sv_bless(SV* sv, HV* stash);