Login stuff hehe/

lm_mario has asked for the wisdom of the Perl Monks concerning the following question:

Hello, I am making a chat program in PERL and I have created a login script. I ran across a security problem when passing the username and password value though the url \ (cause well you could see them hehe)... So I had the script picka random number then create a file with that randomnumber.dat then i had it stor the username and password inside it (with 700) permissions. Soo then the page is created and the script reffers the the number in the url instead of displayign the uername and password. After the script gets the random number and opens it and reads it...it deletes the file. Soo I want your feedback to see how yall would have done this..

Comment on Login stuff hehe/

Replies are listed 'Best First'.
Re: Login stuff hehe/ by merlyn (Sage) on Oct 01, 2000 at 06:01 UTC
Use method `POST` rather than method `GET`, and pass the data as two form fields. No more URL visibility, and the login won't be cached either. -- Randal L. Schwartz, Perl hacker	[reply]
Re (tilly) 1: Login stuff hehe/ by tilly (Archbishop) on Oct 01, 2000 at 05:06 UTC
In Put name and password in URLs I discuss how Hotmail solves this exact problem. Note that in the last few weeks the RSA patent expired. You can now aquire, for free and legally in the US, both Apache and mod_ssl to implement the https server required in the authentication. As for your solution, it is pretty good but I would have a number of concerns. For instance what happens if someone sends you a request that matches a file you care about? Can someone who is sniffing the network spoof the connection? Was the password sent in the clear? None of this probably matters for a chat server. (Heck how many of us are willing to let cookies go around with plaintext passwords?) But I wouldn't want to trust that with important data.	[reply]
RE: Login stuff hehe/ by AgentM (Curate) on Oct 01, 2000 at 04:27 UTC
Man, if your chat is supposed to be CGI, use FastCGI or some equivalent so that you don't have to worry about process -time variables (vars that die with the program). Store the stuff in hashes. You can use mmap later to service multiple client in shared memory. Otherwise (or if you NEED to store this stuff in a file, tie this stuff into an AnyDB. (be careful of multiple servers accessing data- you will need data/file synchronization) Even a better solution may be to store cookies (use CGI;). There's probably a Q&A section somewhere on perlmonks that discusses CGI/HTML authentication (without webserver style auth). But the random number check wil serve you fine checking the cookie against a hash. AgentM Systems or Nasca Enterprises is not responsible for the comments made by AgentM- anywhere.	[reply]
RE: Login stuff hehe/ by ant (Scribe) on Oct 02, 2000 at 14:43 UTC
Hi You could always encrypt the username and password, and then send the details in the URL. However I would prefer using the post method and then use the CGI module to pick up the username and password in the next script. Ant	[reply]

Back to Seekers of Perl Wisdom

AgentM Systems or Nasca Enterprises is not responsible for the comments made by AgentM- anywhere.