develooper Front page | perl.beginners | Postings from April 2002

Re: authentication and user management

Thread Previous | Thread Next
From:
bob ackerman
Date:
April 25, 2002 12:38
Subject:
Re: authentication and user management
Message ID:
F88FF668-5883-11D6-9AC6-003065428126@pacbell.net

On Thursday, April 25, 2002, at 11:57  AM, Mat Harrison wrote:

> what about some clever person (such as the people on this list) faking the
> cookie?

now, you are talking about the general issue of authorization.
a fake cookie would have to know a valid user id. this might not to be too 
difficult to find.
That is why i use an encrypted value of the password in a cookie for 
checking against.
That  would be a little harder to find out unless a hacker had access to a 
valid user's cookies.
There is only so much you can do. Makes it hard to fake, but not 
impossible. There is no absolute guarantee.

> -----Original Message-----
> From: bob ackerman [mailto:rdacker@pacbell.net]
> Sent: Thursday, April 25, 2002 7:26 PM
> To: beginners@perl.org
> Subject: Re: authentication and user management
>
>
>
> On Thursday, April 25, 2002, at 10:58  AM, Mat Harrison wrote:
>
>> i am building a perl/cookie members system for my site using SSI to check
>> if
>> a cookie is present (set at login), if not, to redirect to an error page.
>> This is my plan:
>>
>>
>> 1. login page. check that the username and password match that in the
>> database.
>> 2. if yes then set a cookie with the users's ID from the database
>> 3. when the restricted page is called then the script attempts to 
>> retrieve
>> the cookie.
>>
>> How do i say if ($cookievalue eq "" || cookie does not exist){
>> 				redirect to an error page
>> 			}
>>
>> I know how to retrieve a cookie and redirect but how do i get the script
>> to
>> tell the difference between an incorrect cookie value (one that doesn't
>> match any IDs in the database) and no cookie at all.
>
> when you ask for a cookie for a given key, if it doesn't exist it will be
> empty.
> as in code above. I don't think you want to worry about the cookie
> existing with an empty value.
> That wouldn't be a valid login.
> Then if the cookie exists, you could do a db query to make sure the id is
> actually in the database.
>
>> If anyone can suggest anything about the cookies or any tips on this
>> subject
>> in general please help
>>
>> Thanks in Advance
>>
>> --
>> Matthew Harrison
>> Webmaster
>> www.genestate.com
>> mat.harris@genestate.com
>
>
> --
> To unsubscribe, e-mail: beginners-unsubscribe@perl.org
> For additional commands, e-mail: beginners-help@perl.org
>
>
>


Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About