Beefy Boxes and Bandwidth Generously Provided by pair Networks Frank
We don't bite newbies here... much
 
PerlMonks  

Re: Ecryption?

by $code or die (Deacon)
on Feb 17, 2001 at 22:37 UTC ( [id://59184]=note: print w/replies, xml ) Need Help??

This is an archived low-energy page for bots and other anonmyous visitors. Please sign up if you are a human and want to interact.


in reply to Ecryption?

I would suggest using cookies. It would be easy to change the existing scripts to do this. The level of security would then depend on what is stored in the cookie. Typically, when I do this, I authenticate the user, and then create a random session variable in a database. The cookie will then only have the username and session variable - no password. Then on each call, I check that the session variable passed by the cookie is valid and that it is for the correct user.

See merlyn's node: Adding "state" to HTTP for other methods, then if you're still interested see the Web Techniques columns...

Afterthought: The other responses to this question deal more with encrypting the data. My method (I believe) is secure so long as you use SSL for the original authentication. It seems to me that your problem is not so much about "sniffing" but more that if someone leaves their pc while logged in, someone could come along, "view source" and see the password. Even if you encrypt the password using client-side script or MD5, then people can still impersonate other users because your script relies on the encrypted data being posted which doesn't change between logins. If you have a database of valid session IDs, then they are no longer valid once someone has logged off - i.e. next time they log in, they will have a different session ID.

$code or die
Using perl at
The Spiders Web

Replies are listed 'Best First'.
Re: Re: Ecryption?
by Punto (Scribe) on Feb 17, 2001 at 23:37 UTC
    So, for the encryption I could use 'MD5' (what is md5?), and a session ID system..
    The session ID would be like the 'key', and I need it to decrypt the password on the server side, right?

    I know there is an apache module that takes care of the session ID thing.

    (thanks)

[reply]
      actually (replying to myself) I'd make a 'digest' with the password and the session id, and post that on the forms, and authenticate against that. The problem is that the script is not saving the password as plaintext on the database (crypt()). I but I could still use it. Thanks!

      UPDATE: this is the solution I used after all. I get the session number from mod_session (apache module), and I create an 'md5_base64' string with that and the crypt()ed password (that's how the passwords are stored on the base), that's what I put on the forms.
      Thanks everyone for your help!

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://59184]
help
Sections?
Information?
Find Nodes?
Leftovers?
    Notices?
    hippoepoptai's answer Re: how do I set a cookie and redirect was blessed by hippo!
    erzuuliAnonymous Monks are no longer allowed to use Super Search, due to an excessive use of this resource by robots.