Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic

Re: CGI Session 'security' for in-house app.

by andreychek (Parson)
on Jul 06, 2001 at 00:41 UTC ( #94268=note: print w/ replies, xml ) Need Help??

in reply to CGI Session 'security' for in-house app.

I'm not sure exactly what type of answer you are looking for, but I'll see what I can do.

First off -- no, it doesn't seem like you are missing anything. Secondly, there's no need to redo what's already been done. Unless you really believe you can do it better. In which case, highly consider adding onto the existing solution instead of re-implementing it. When it comes down to it, most people would agree to do these things when creating web applications:

  • Use for developing your applications
    No one will argue this. If you aren't using, you're asking for trouble.. both from you application, and us because we'll yell at you ;-)

  • Use Apache::Session for managing sessions
    Apache::Session will help create and manage you're sessions. It'll create unique session id's for you, you don't have to worry about that. In fact, I don't one should ever try and create session ID's on your own, there are too many ways to do it incorrectly and insecurely :-) However, as far as I know, there isn't yet a module to manage expiring of sessions, you'll most likely have to do that on your own. But thats easy enough if you store the last time a person was at the site in your database. Next time they connect, if the time is more then 30 minutes or whatever, just redirect them to the login page.

  • Encrypt Passwords using SSL and/or a Challenge Response System
    Even people within your building are capable of sniffing passwords. There are tools that do all the work for them. I would highly recommend doing something.. anything.. to make sure the passwords are not sent in clear text. Even internally.

    A point that I'll argue -- and there are definitely two (often religious) sides to this -- is that I feel one should always use some sort of templating system to create HTML templates when developing web applications. This seperates code from content. There are several available, HTML::Template and Template::Toolkit, to name 2. And then where comes in is to handle the input, sending out headers, and that sort of thing.

    Perhaps there are times to use for generating content. But I personally feel that using for this purpose would create messy applications, even if they do end up creating correct HTML ;-) But the point to argue there is that there are plenty of HTML validators you could use to validate your HTML code if you wanted to use a template. But in the end, it's your choice :-)

  • Comment on Re: CGI Session 'security' for in-house app.

    Log In?

    What's my password?
    Create A New User
    Node Status?
    node history
    Node Type: note [id://94268]
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others taking refuge in the Monastery: (8)
    As of 2015-12-01 01:38 GMT
    Find Nodes?
      Voting Booth?

      What would be the most significant thing to happen if a rope (or wire) tied the Earth and the Moon together?

      Results (791 votes), past polls