develooper Front page | perl.beginners | Postings from April 2002

Re: authentication and user management

Thread Previous | Thread Next
bob ackerman
April 25, 2002 12:38
Re: authentication and user management
Message ID:

On Thursday, April 25, 2002, at 11:57  AM, Mat Harrison wrote:

> what about some clever person (such as the people on this list) faking the
> cookie?

now, you are talking about the general issue of authorization.
a fake cookie would have to know a valid user id. this might not to be too 
difficult to find.
That is why i use an encrypted value of the password in a cookie for 
checking against.
That  would be a little harder to find out unless a hacker had access to a 
valid user's cookies.
There is only so much you can do. Makes it hard to fake, but not 
impossible. There is no absolute guarantee.

> -----Original Message-----
> From: bob ackerman []
> Sent: Thursday, April 25, 2002 7:26 PM
> To:
> Subject: Re: authentication and user management
> On Thursday, April 25, 2002, at 10:58  AM, Mat Harrison wrote:
>> i am building a perl/cookie members system for my site using SSI to check
>> if
>> a cookie is present (set at login), if not, to redirect to an error page.
>> This is my plan:
>> 1. login page. check that the username and password match that in the
>> database.
>> 2. if yes then set a cookie with the users's ID from the database
>> 3. when the restricted page is called then the script attempts to 
>> retrieve
>> the cookie.
>> How do i say if ($cookievalue eq "" || cookie does not exist){
>> 				redirect to an error page
>> 			}
>> I know how to retrieve a cookie and redirect but how do i get the script
>> to
>> tell the difference between an incorrect cookie value (one that doesn't
>> match any IDs in the database) and no cookie at all.
> when you ask for a cookie for a given key, if it doesn't exist it will be
> empty.
> as in code above. I don't think you want to worry about the cookie
> existing with an empty value.
> That wouldn't be a valid login.
> Then if the cookie exists, you could do a db query to make sure the id is
> actually in the database.
>> If anyone can suggest anything about the cookies or any tips on this
>> subject
>> in general please help
>> Thanks in Advance
>> --
>> Matthew Harrison
>> Webmaster
> --
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About