Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re: Webpage Logins

by knobunc (Pilgrim)
on Apr 12, 2001 at 22:17 UTC ( #72129=note: print w/replies, xml ) Need Help??


in reply to Webpage Logins

Beware using the IP address as a unique token for a session. Any users that go through a proxy will appear to come from the same IP. AOL users for instance rotate through a handful of IP addresses for each request.

The other replies have hopefully pointed you in the right direction.

Also, if you decide to store the information in a file make sure you lock it when updating and reading. Otherwise it will get corrupted at some point.

Updated: I had a chance to look at how I had coded the login stuff on my pages here. The relevant bit is to use Apache::Session which gives me an ID that I then stuff into a cookie. The IDs generated are relatively secure, they use all sorts of good random info then run it through an MD5 hash so I think they are unguessable. Anyway, onto the code:

use Apache::Session::File; use CGI::Cookie; use constant TIMEOUT => 60 * 60 * 2; # 2 hours use constant COOKIE_NAME => 'MY_COOKIE'; use constant BASE_URL => '/'; # Get the ID from the cookie (if one was set) my $raw_cookie = $r->header_in('Cookie') || ""; my %cookies = parse CGI::Cookie($cookie); my $id = $cookies{COOKIE_NAME}; # Get the session object from disk my %session; tie %session, 'Apache::Session::File, $id, { Directory => '/tmp/state', LockDirectory => '/tmp/state', }; # Set the cookie back if it was new if (not defined $id) { my $new_cookie = new CGI::Cookie(-name => COOKIE_NAME, -value => $session->{_session_id}, -path => BASE_URL, ); $r->err_header_out('Set-Cookie' => $new_cookie); } # Now just read and write things to the session object # and they will get saved. You have to be careful about # any references though. See the docs for details. # Check to make sure the session is valid my $cur_time = time; unless (defined $session{last_access} and $session{last_access} < time - TIMEOUT and defined $session{valid} and $session{valid} == 1) { # Illegal access, bump to the login page # It must make the session valid by setting the # last_access and valid fields. } $session{last_access} = $cur_time;

Please note that this code will probably need to be changed to fit your web environment. I was using $r since my code comes from mod_perl. If you are using straight CGI then there is a CGI.pm thing to set the cookie stuff in the response header. The above may or may not work since I cut and pasted relevant bits from my setup (I am using Mason) and actually have stuff split up across subroutines because my data store and autentication is a bit more twisty.

-ben

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://72129]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (3)
As of 2022-01-16 18:38 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:












    Results (49 votes). Check out past polls.

    Notices?