On security, make it transparent as possible. Create classes that implement the overall picture, piece by piece. For instance, a "forgot password" class would do a bit of work to either grab your email address or username and mail out a password.

But these classes would never do silly things like call CPAN packages directly for doing email or database calls. Usually not. They should call an API that you design to do these things. Something similar to $user = $api->get_user({id=>$id});  $api->mail_password({user=>$user}); Then you need to use either the facility of your language or your api, to deal with security. It should be VERY light weight and pluggable. Why? Testing is hard. Really hard. Switching gears by adding new authentication schemese is hard as well. Or providing new schemes, like single-signon, RSA keys, browser certs. Think of it as hard as swapping DBs. At least with databses, and a user-written API, you can swap DBs without disrupting all those classes that implement the overall picture. :)

I could imagine something simple like, using the perl autoloader to act as a transparent proxy to your api calls. So you could do something like:

Exussum::SecureApi->set_api("Exussum::Api");

$api = Exussum::SecureApi->new();
$api->set_ser("exussum");
$api->set_password("admin-password");

$api->deposit("X932323",5000,"USD");
$api->transfer("X932323","X812812",20,"USD");
[download]

If for some reason, a day I don't want to use my Exussum::Api, and use some sorta test api that doesn't do real work, I may feed my SecureApi, Exussum::TestApi.

It's a lot to take in. A hell of a lot. Summed up, some things, like DB access, security, cross-cutting visual design (think left bar, top banner, w/ a logo and colour scheme via CSS), usually should be very lightweight. Otherwise, you tie yourself down to the underlying technology with unusally specific, rigid requirements.

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.