Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

Incidentally you just said a Very Bad Thing. Normally your user passes in the authentication information and then you return a token - usually a hash of a server-side secret plus a session id. You then send over in the cookie both the hash and the session id. This provides for both uniqueness and security.

The essentials are:

server side secret: I generate a 2048 bit binary value and store it on the server. This is only used for input into the hash function. This must be kept secret (or regenerated) since this is your protection against forged session IDs. Keep in mind that you shouldn't just regenerate this willy nilly since you don't want to deplete your operating system's entropy pool. Normally I just create a file which writes out another file with some binary value stored in a string sort of like  use constant SECRET => "\001sd3!@\007"; .

open RANDOM, RANDOM_DEVICE or die "Cannot open " . RANDOM_DEVICE . ": +$!"; $rc = read RANDOM, $secret, $bytes; close RANDOM or die "Cannot close " . RANDOM_DEVICE . ": $!"; die "Nothing was read!" if 0 == length $rc; die "Mismatched read: $bytes vs " . length($rc) . "!" if $bytes != len +gth $rc; # quote the binary value for inclusion in a double-quote string $secret =~ s/[\x00-\xff]/sprintf '\\%o', ord $&/gex;

unique session id: Normally this just takes the form of an incrementing number ala 1 -> infinity (or wherever the number rolls over). This *must* be unique or you run the risk of colliding session keys. The best way of guaranteeing uniqueness is to just use a counter. Normally I just let my database handle this as a sequence. This is easy to attack so you augment it with a cryptographic hash.

my $sessionid = $dbh->selectrow_array ( "SELECT nextval('UserSessionSeq')" );

cryptographic hashing algorithm: Use MD5 or SHA1 (slower but more secure) to combine the sequence with the secret. Make sure you separate your two tokens to prevent them from running together. You can get collisions if you let them touch so just don't do that. I just separated the leading number from everything else by a single space. Easy.

my $sessiondigest = md5_hex(sprintf("%u %s", $sessionid, Voter->SECRET +)

The last trick is now you store both the session id and the session digest in the cookie you send to the client. Everytime the web browser requests something you have to check that the session id and session key match in your session records. You don't have to do anything complicated here - just a simple equality test will do.

$dbh->selectrow_array ( "SELECT UserID, Activeuser, Created, Modified" . " FROM ValidSession" . " WHERE SessionID = ?" . " AND SessionDigest = ?", undef, $sessionid, $sessiondigest ); # if a row was returned then it was a good match otherwise something + is wrong (the session might have just expired as well - views are us +eful for that)

There's an example of all this up at Voter @

In reply to Re: Cookies without by diotalevi
in thread Cookies without by Anonymous Monk

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    [atcroft]: Discipulus: I looked back at your note about my Padre question from a while back, and it made me look again... as a result, I found what I was missing and was able to make the change. Thank you!

    How do I use this? | Other CB clients
    Other Users?
    Others cooling their heels in the Monastery: (4)
    As of 2018-02-24 20:31 GMT
    Find Nodes?
      Voting Booth?
      When it is dark outside I am happiest to see ...

      Results (311 votes). Check out past polls.