I am writing a rather large WebApp using CGI::Application, HTML::Template, Apache::Session all under mod_perl.
I wish to make the operation as secure as possible. Presently I have the following:
- INPUT VERIFICATION - SessionID, UserID & RunMode produce an MD5 hash as a checksum, the three values plus the checksum are encrypted using Blowfish and sent to the client as a hidden field. When it is returned the veracity of the 'secret' is tested and if it passes the session is allowed to continue.
- Form data is validated at the client end using JS, but is repeated again on the server.
- Search query fields are all tested to see that they are of the appropriate type before they are used.
- Updated Thanks for the reminder freddo411 this all takes place over an SSL connection.
OK, my question is, what am I missing? Is there any other technique I should be using along with these?