|No such thing as a small change|
How to make a secure websiteby cranberry13 (Beadle)
|on Jul 07, 2004 at 08:28 UTC||Need Help??|
cranberry13 has asked for the
wisdom of the Perl Monks concerning the following question:
I am creating a website that will require the user to use a login and password.
I've looked at websites that explain how to make a site secure and many of them recommend not putting the username of the user as a cookie.
I would never save the password in a cookie and I would never pass the username or password as a hidden variable (that's just dumb) .... my question is this:
Right now I have it so that when a person logs in (or if they create a new account) I place a cookie saying that 'this userid is logged in'. Every time they click on a link (ie. go to their account manager, post an event, etc.) I immeidately check the cookie to see who it is and if there is not userid cookie then I print the login page and tell them to login.
Anything insecure about this? If so, please let me know and tell me how to make a site 100% secure with regards to logging in and passwords (currently the passwords are stored in a DB and encrypted).
Also, people have recommended storing the sessionid in the DB along with the user id so I can figure out who the user is .... Correct me if I'm wrong but that means anytime they view another page they my programs will have to query the DB -- isn't that inefficient? Thanks!