Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

Login stuff hehe/

by lm_mario (Initiate)
on Oct 01, 2000 at 02:13 UTC ( [id://34784]=perlquestion: print w/replies, xml ) Need Help??

lm_mario has asked for the wisdom of the Perl Monks concerning the following question:

Hello, I am making a chat program in PERL and I have created a login script. I ran across a security problem when passing the username and password value though the url \ (cause well you could see them hehe)... So I had the script picka random number then create a file with that randomnumber.dat then i had it stor the username and password inside it (with 700) permissions. Soo then the page is created and the script reffers the the number in the url instead of displayign the uername and password. After the script gets the random number and opens it and reads deletes the file. Soo I want your feedback to see how yall would have done this..

Replies are listed 'Best First'.
Re: Login stuff hehe/
by merlyn (Sage) on Oct 01, 2000 at 06:01 UTC
    Use method POST rather than method GET, and pass the data as two form fields. No more URL visibility, and the login won't be cached either.

    -- Randal L. Schwartz, Perl hacker

Re (tilly) 1: Login stuff hehe/
by tilly (Archbishop) on Oct 01, 2000 at 05:06 UTC
    In Put name and password in URLs I discuss how Hotmail solves this exact problem. Note that in the last few weeks the RSA patent expired. You can now aquire, for free and legally in the US, both Apache and mod_ssl to implement the https server required in the authentication.

    As for your solution, it is pretty good but I would have a number of concerns. For instance what happens if someone sends you a request that matches a file you care about? Can someone who is sniffing the network spoof the connection? Was the password sent in the clear?

    None of this probably matters for a chat server. (Heck how many of us are willing to let cookies go around with plaintext passwords?) But I wouldn't want to trust that with important data.

RE: Login stuff hehe/
by AgentM (Curate) on Oct 01, 2000 at 04:27 UTC
    Man, if your chat is supposed to be CGI, use FastCGI or some equivalent so that you don't have to worry about process -time variables (vars that die with the program). Store the stuff in hashes. You can use mmap later to service multiple client in shared memory. Otherwise (or if you NEED to store this stuff in a file, tie this stuff into an AnyDB. (be careful of multiple servers accessing data- you will need data/file synchronization) Even a better solution may be to store cookies (use CGI;). There's probably a Q&A section somewhere on perlmonks that discusses CGI/HTML authentication (without webserver style auth). But the random number check wil serve you fine checking the cookie against a hash.
    AgentM Systems or Nasca Enterprises is not responsible for the comments made by AgentM- anywhere.
RE: Login stuff hehe/
by ant (Scribe) on Oct 02, 2000 at 14:43 UTC
    You could always encrypt the username and password, and then send the details in the URL.
    However I would prefer using the post method and then use the CGI module to pick up the username and password in the next script.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://34784]
Approved by root
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others scrutinizing the Monastery: (3)
As of 2024-07-24 16:05 GMT
Find Nodes?
    Voting Booth?

    No recent polls found

    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.