Fellow monks,

I am hoping someone can point out the error(s) of my way here. I am using an html form to POST two values 'user' and 'pass' to a validation script, which sets a cookie called 'id' (if the user is valid) and returns a link to the main cgi that requires the cookie

Security pundits - I know this is frightfully insecure to send 'pass' in this manner , I believe it's as bad as an ftp site without strong auth, or telnet. I have read Ovid's offsite cgi tutorials (recommended). For the moment I am trying to get cookies to work at ALL, before trying to secure them.

so the validator looks like

#!/usr/bin/perl -wT
use strict;
use CGI;


my $q= CGI->new();
my $name = $q->param('name');
my $password = $q->param('password');
while ( my($u , $p ,,) = getpwent ) {
 if ($name eq $u) {
        my $salt = substr($p,0,2);
        my $check = crypt ($password, $salt);
        if ($check) { # yes yes, it's always true - FOR NOW!
         &success;
        }
        else { &fail };
 }
}
&fail;
exit(0);

sub fail {
 print 
        $q->header('text/html'),
        $q->start_html(-title=>'Unsuccessful Login'),
        $q->a({href=>'http://proxy/testform.html'} ,'Return to Login P
+age'),
        $q->end_html;
 exit(0);
}

sub success {
 my $cookie = $q->cookie(-name=>'id', -value=>$name ,
                        -expires=>'-1h');
 print
        $q->header(-type=>'text/html',
                -cookie=>$cookie),
        $q->start_html(-title=>"Welcome $name"),
        $q->a({href=>'http://proxy/cgi-bin/view/browse.pl?test=1'}, 'P
+roceed to Viewing Area'),
        $q->end_html;
 exit(0);
}
[download]

I am certain that this is setting a cookie, IE warns me and I accept the cookie. But when browse.pl runs

#!/usr/bin/perl -wT
use strict;
use CGI;
use Data::Dumper;

my $q= CGI->new;
my $cookie = $q->cookie('id'); #This keeps returning undef
[download]

Apache documentation is pretty sparse , and indicates that cookie problems are generally script or client based, the system I am running on is RH7.3, perl 5.6.1 , apache 1.3.26