Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re: cgi and https (mildly off topic)

by Ryszard (Priest)
on Nov 27, 2001 at 09:30 UTC ( #127729=note: print w/ replies, xml ) Need Help??


in reply to cgi and https (mildly off topic)

Why not use session management so people have to log in to use the service? Its easy to build yourself, or even easier if you want to download a module to do it for you.

whatever you do, use perl -wT, and *dont* put any JS in webpages to encrypt anything. All passwords should be stored server-side with some kind of one way hash (md5, sha-1 (i prefer hashing over encrypting as you dont need to leave a key lying about somewhere). The incoming password is then, captured, untainted, encrypted and compared to the one that is stored.

If possible, put the backend storage machine on a private network so it is harder to get to, (but that may be over kill in your situation.)

As a rule untaint *everything* that is coming from outside your script (which is what -T actually enforces)

By far the easiest method of doing this is have one script that accepts a password, and conditionally on the password being correct, it will pump out the right information.
The downside is it is *so* unscalable, and you need to re-enter the password each time you want to review the information

Just the disjointed ravings of a crazed lunatic.


Comment on Re: cgi and https (mildly off topic)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://127729]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (7)
As of 2014-12-29 14:13 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (188 votes), past polls