Beefy Boxes and Bandwidth Generously Provided by pair Networks RobOMonk
Problems? Is your data what you think it is?
 
PerlMonks  

Best practices for secure persistent login?

by Xenofur (Monk)
on May 27, 2009 at 17:46 UTC ( #766482=perlquestion: print w/ replies, xml ) Need Help??
Xenofur has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I am currently working on a website which currently uses the "let's use time() as the session cookie and not check anything else" approach to user authentication.

As I've never written a login system before I could try and roll my own and stumble into many traps on the way. Thus I'd like to ask if you can suggest to me a method that uses existing CPAN modules and also general guidelines for how to apply it given a standard structure of mysql db with accounts having id, username, email and password.

Currently I'm planning to replace the timestamp with a Data::GUID as well as add in an MD5 hash of the username, password and the first two tuplets of the user ip. Both of these would be stored in a simple table, checked on every user action.

Comment on Best practices for secure persistent login?
Re: Best practices for secure persistent login?
by perrin (Chancellor) on May 27, 2009 at 17:53 UTC
    The common practice is to use a unique ID and use an SHA1 digest with a secret salt to prevent tampering with the ID. No need to build your own when CGI::Session is already there.
      Thanks for pointing me at that, I'd completely forgotten about it. :)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://766482]
Approved by zwon
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (12)
As of 2014-04-17 10:43 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (444 votes), past polls