lm_mario has asked for the wisdom of the Perl Monks concerning the following question:
Hello,
I am making a chat program in PERL and I have created a login script. I ran across a security problem when passing the username and password value though the url \ (cause well you could see them hehe)... So I had the script picka random number then create a file with that randomnumber.dat then i had it stor the username and password inside it (with 700) permissions. Soo then the page is created and the script reffers the the number in the url instead of displayign the uername and password. After the script gets the random number and opens it and reads it...it deletes the file. Soo I want your feedback to see how yall would have done this..
Re: Login stuff hehe/
by merlyn (Sage) on Oct 01, 2000 at 06:01 UTC
|
Use method POST rather than method GET, and pass the
data as two form fields. No more URL visibility, and the login won't be cached
either.
-- Randal L. Schwartz, Perl hacker | [reply] |
Re (tilly) 1: Login stuff hehe/
by tilly (Archbishop) on Oct 01, 2000 at 05:06 UTC
|
In Put name and password in URLs I discuss how Hotmail solves this exact
problem. Note that in the last few weeks the RSA patent
expired. You can now aquire, for free and legally in the
US, both Apache and mod_ssl to implement the https server
required in the authentication.
As for your solution, it is pretty good but I would have a
number of concerns. For instance what happens if someone
sends you a request that matches a file you care about?
Can someone who is sniffing the network spoof the
connection? Was the password sent in the clear?
None of this probably matters for a chat server. (Heck how
many of us are willing to let cookies go around with
plaintext passwords?) But I wouldn't want to trust that
with important data. | [reply] |
RE: Login stuff hehe/
by AgentM (Curate) on Oct 01, 2000 at 04:27 UTC
|
Man, if your chat is supposed to be CGI, use FastCGI or some equivalent so that you don't have to worry about process -time variables (vars that die with the program). Store the stuff in hashes. You can use mmap later to service multiple client in shared memory. Otherwise (or if you NEED to store this stuff in a file, tie this stuff into an AnyDB. (be careful of multiple servers accessing data- you will need data/file synchronization) Even a better solution may be to store cookies (use CGI;). There's probably a Q&A section somewhere on perlmonks that discusses CGI/HTML authentication (without webserver style auth). But the random number check wil serve you fine checking the cookie against a hash.
| [reply] |
RE: Login stuff hehe/
by ant (Scribe) on Oct 02, 2000 at 14:43 UTC
|
Hi
You could always encrypt the username and password, and then
send the details in the URL.
However I would prefer using the post method and then use the
CGI module to pick up the username and password in the next script.
Ant | [reply] |
|