|Think about Loose Coupling|
Re: cgi and https (mildly off topic)by Ryszard (Priest)
|on Nov 27, 2001 at 09:30 UTC||Need Help??|
Why not use session management so people have to log in to use the service? Its easy to build yourself, or even easier if you want to download a module to do it for you.
whatever you do, use perl -wT, and *dont* put any JS in webpages to encrypt anything. All passwords should be stored server-side with some kind of one way hash (md5, sha-1 (i prefer hashing over encrypting as you dont need to leave a key lying about somewhere). The incoming password is then, captured, untainted, encrypted and compared to the one that is stored.
If possible, put the backend storage machine on a private network so it is harder to get to, (but that may be over kill in your situation.)
As a rule untaint *everything* that is coming from outside your script (which is what -T actually enforces)
By far the easiest method of doing this is have one script that accepts a password, and conditionally on the password being correct, it will pump out the right information.
Just the disjointed ravings of a crazed lunatic.