Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris

Re: Mod_Perl Handlers And Getting Rid Of Sessions In The URL

by blssu (Pilgrim)
on Sep 15, 2002 at 13:14 UTC ( #198031=note: print w/replies, xml ) Need Help??

in reply to Mod_Perl Handlers And Getting Rid Of Sessions In The URL

It sounds like you aren't authenticating requests that send a valid session id. Isn't that your root problem? Are you building obscurity instead of security?

You can't keep URLs private. They'll show up in HTTP headers, log files, browser histories, bookmarks, cut and paste buffers, plain text e-mails, etc.

Session IDs should only identify session state stored on your server; they should not grant access or leak the contents of your server. Ideally the client authenticates using digest mode or some other challenge response system. (Modern browsers even do this correctly.) If you have lots of CPU, basic authentication over HTTPS is also good. If your data isn't sensitive, you could "trust" an IP address for a limited time.

At the very least, add an authentication step to your code. It will make your security solution easy to understand. And big red flags will wave if you see:

sub authenticate_user { return 1 }

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://198031]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (3)
As of 2021-10-25 04:42 GMT
Find Nodes?
    Voting Booth?
    My first memorable Perl project was:

    Results (89 votes). Check out past polls.