Think about Loose Coupling | |
PerlMonks |
Re: How to make a secure websiteby Jeppe (Monk) |
on Jul 08, 2004 at 12:24 UTC ( [id://372765]=note: print w/replies, xml ) | Need Help?? |
You should take a look at Apache::Session. It might be what you're looking for.
Seriously, store only a session id in the cookie. Don't store a cleartext user id, and make sure you somehow make it impossible to calculate a valid session id. That is, the session id must be a large number - too large to be brute-forced. The distribution of the algorithm that produces the session id must be flat. And - of course - make sure the login is performed over an https connection. Other than that, make sure you properly process anything the users submit through forms or url tampering..
In Section
Seekers of Perl Wisdom
|
|