Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??

$ENV{'REMOTE_ADDR'}.$ENV{'REMOTE_PORT'} are not actually being used in the cookie itself. They, along with the salt and the process id ($$) are merely being used with Digest::MD5 to increase the likelyhood of generating unique session ids. In retrospect, I suppose that I should also throw a randonly generated number in there.

We are not using the server's built in authentication and session tracking because we hope to reuse this code on different sites and cannot guarantee which server we'll be using. This seemed like a more portable approach.

As for the contents of the cookie being spoofable, guessable, and tainted:

  • Spoofable:

    If the digest in the cookie doesn't match what's in the database, they simply get redirected to the login.

  • Guessable:

    To guess how to generate the digest, they'd have to figure out the salt, which I think is non-trivial. If they sniff it, they could possibly hijack a session, but that's why the digest is changed on every access. They attacker would have to sniff the cookie and submit it before the user clicked on another link (this is the big weakness of not having everything over an SSL connection). If they do sniff the cookie and don't send it soon enough, either a new digest will be in the database or the database-controlled session timeout will block them.

  • Tainted:

    Shouldn't matter. At no point is anything done with the cookie data except check to see if it is the same as what's in the database. Oh, there is one exception: it's included in an SQL statement for clearing old sessions, but even then a placeholder is used in the SQL to ensure that it's properly quoted.

Cheers,
Ovid

Vote for paco!

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.


In reply to (Ovid) Re(2): CGI Security Advice Sought by Ovid
in thread CGI Security Advice Sought by Ovid

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (5)
As of 2024-06-14 14:56 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?
    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.