Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re: CGI Session 'security' for in-house app.

by andreychek (Parson)
on Jul 06, 2001 at 00:41 UTC ( [id://94268]=note: print w/replies, xml ) Need Help??


in reply to CGI Session 'security' for in-house app.

I'm not sure exactly what type of answer you are looking for, but I'll see what I can do.

First off -- no, it doesn't seem like you are missing anything. Secondly, there's no need to redo what's already been done. Unless you really believe you can do it better. In which case, highly consider adding onto the existing solution instead of re-implementing it. When it comes down to it, most people would agree to do these things when creating web applications:

  • Use CGI.pm for developing your applications
    No one will argue this. If you aren't using CGI.pm, you're asking for trouble.. both from you application, and us because we'll yell at you ;-)

  • Use Apache::Session for managing sessions
    Apache::Session will help create and manage you're sessions. It'll create unique session id's for you, you don't have to worry about that. In fact, I don't one should ever try and create session ID's on your own, there are too many ways to do it incorrectly and insecurely :-) However, as far as I know, there isn't yet a module to manage expiring of sessions, you'll most likely have to do that on your own. But thats easy enough if you store the last time a person was at the site in your database. Next time they connect, if the time is more then 30 minutes or whatever, just redirect them to the login page.

  • Encrypt Passwords using SSL and/or a Challenge Response System
    Even people within your building are capable of sniffing passwords. There are tools that do all the work for them. I would highly recommend doing something.. anything.. to make sure the passwords are not sent in clear text. Even internally.

    A point that I'll argue -- and there are definitely two (often religious) sides to this -- is that I feel one should always use some sort of templating system to create HTML templates when developing web applications. This seperates code from content. There are several available, HTML::Template and Template::Toolkit, to name 2. And then where CGI.pm comes in is to handle the input, sending out headers, and that sort of thing.

    Perhaps there are times to use CGI.pm for generating content. But I personally feel that using CGI.pm for this purpose would create messy applications, even if they do end up creating correct HTML ;-) But the point to argue there is that there are plenty of HTML validators you could use to validate your HTML code if you wanted to use a template. But in the end, it's your choice :-)
    -Eric
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Domain Nodelet?
    Node Status?
    node history
    Node Type: note [id://94268]
    help
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this?Last hourOther CB clients
    Other Users?
    Others making s'mores by the fire in the courtyard of the Monastery: (2)
    As of 2024-03-19 07:14 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      No recent polls found