![]() |
|
good chemistry is complicated, and a little bit messy -LW |
|
PerlMonks |
Re: secure CGI: books and examples?by beebware (Pilgrim) |
on Apr 23, 2002 at 20:56 UTC ( [id://161439]=note: print w/replies, xml ) | Need Help?? |
1: I haven't got a clue about secure FTP, I've never come across a site that needs it (yet!). 2: POST is ideal for large data packets. Using the form-upload method (which is 'POST'ed data), 30Mb files are uploaded no sweat! (above that and things start to fall apart due to the time needed to transfer it all). 3: Don't store the passwords in plain text. If someone forgets their password, email them a link which then takes them to a page with a 'security question' (for example: What is the last three digits of your student number and your date of birth?) and _then_ allow them to change their password (putting limits of 7+ characters, mixed case+numbers etc etc). 4: Don't use Javascript for authentication.I would personally use the standard 'Browser Authentication' method of the 401 Unauthorised type (can't remember it's proper name at the moment). Add to that a session ID in the URL and hidden computed checksums on form uploads and you've got a nice secure system. Add https usage and you've got a ecommerce site :D. Look how sites similar to Amazon et al do things and improve upon them. To cut down on the encrypted connection side, only use it for user authentication and the actual question/answer pages. Don't forget to not trust user input! You may find How to code for Incorrect Clocks and Rapidly Expiring Cookies, Cookie based authentication: Is it Secure?, Essential CGI security Practices useful.
In Section
Seekers of Perl Wisdom
|
|