Re: [SLUG] Another Perl Question [continued]

["Crossfire" <xfire@nospam.xware.cx>]

Whoops - sent that last one too early....

As for using cookies for authentication, this is the wrong thing(tm).

You may want to consider switching to mod_perl, so you can use something
like Apache::Session, which will let you use cookies to select sessions,
which can contain your authentication state in a far more secure manner.
[ie: only create a session when a user logs in, destroy the session when
they log out, and check for a valid session when you need to.].

Any manner in which you can store a password in a cookie immediately makes
it incrediably insecure, since that cookie will be sent in the clear for
*every* HTTP request for objects under the URL base specified in the
cookie... and you seriously can't protect a password with a simple hash if
you're using the hashed form to confirm authentication [this won't stop
people from using the hashed form to force authentication].

+-================================================-+
| Crossfire      | This message was brought to you |
| xfire@nospam.xware.cx | on 100% recycled electrons      |
+-================================================-+

> ----- Original Message -----
> From: Dean Hamstead <zort@nospam.penrithcity.nsw.gov.au>
> To: <slug@nospam.slug.org.au>
> Sent: Friday, December 01, 2000 9:29 PM
> Subject: [SLUG] Another Perl Question
>
>
> > I need to save username and password as a cookie on the client.
> >
> > yeah thats easy, i would like a single encrypted cookie. Doesnt
> > have to be insanely encrypted just something thats not easily
> > readable.
> >
> > (did i mention perl?)
> >
> > Dean




-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug