Re: Implementing security in CGI :: ASPN Mail Archive

Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming

MyASPN >> Mail Archive >> modperl

modperl

Re: Implementing security in CGI
by Jeff Beard other posts by this author
Apr 19 2000 6:41AM messages near this date

Re: Implementing security in CGI | Re: Implementing security in CGI

This is a question for comp.infosystems.www.authoring.cgi.

But since I'm here...

I would check for the cookie every time a request is made. If you use 
Apache::Session there will be a separate session data store from the user 
data. Which is probably what you really want. Apache::Session will allow 
you to associate whatever data you like with the session id within it's own 
schema.

If the browser is closed, the cookie will remain. You can have a logout 
feature but there will always be a significant percentage of users that 
won't bother. So limit the life of the cookie with the time value and 
periodically cull stale sessions on the server.

--Jeff


At 05:21 PM 4/19/00, Differentiated Software Solutions Pvt. Ltd. wrote:
> Hi,
> 
> My question is much more basic than that. I wanted to validate my design
> ideas on a programmatic security.
> I would like somebody to go through the following and tell me that I'm on
> the right track.
> 
> The idea I had was, at the time of login, I generate the session id which I
> write to the cookie.
> I have also tied to this session_id the user's login profile.
> Every other screen checks for the cookie's existence and reads back the
> session_id and gets the user's profile. I hope I'm right till then.
> When the user signs out then we can delete the tied file.
> Now any person who has access to the same browser will still have to login
> to get to the inner pages.
> 
> If the browser is killed without sign-out from the system, even then there's
> no problem.
> Next person who gets access to the browser and tries to access any inner
> page will not be able to, because the cookie with the session-id does not
> exist.
> 
> Am I right ??? Please help.
> 
> Thanks,
> 
> Murali
> 
> -----Original Message-----
> From: Gunther Birznieks <gunther@[...].com>
> To: modperl@[...].org <modperl@[...].org>
> Date: 19 April 2000 18:44
> Subject: Re: Implementing security in CGI
> 
> 
>  >Apache::Session could be useful. But the session key that is generated is
>  >arguable not necessarily the most secure that it could be. But it is pretty
>  >good.
>  >
>  >I'm probably opening up a can of worms by saying this.
>  >
>  >The MD5 hash itself is relatively secure as hashes go (although SHA hash
>  >space could be better). But you are relying on underlying system variables
>  >to determine what is put into MD5 hashing in the first place -- and this
>  >data is not necessarily the most random-- process ID, time, memory address
>  >of the created hash, etc... Are a bit deterministic. rand() might be good
>  >if it is on a system that plugs natively into a good entropy generator on
>  >that machine.
>  >
>  >To get a better key, you probably end up spending more time pulling
>  >relatively random data sources together so key generation itself would be
>  >slow-- a computational tradeoff. Depends on how "secure" you really want to
>  >be. For most situations,  Apache::Session's key generator will work fine.
>  >
>  >It also depends how long you intend the sessions to be active. Will they
>  >become a "token" that is used in lieu of authentication once the user has
>  >entered a username and password or issued a digital client certificate to
>  >your web site? Or will it be used after the user registers for a month+ to
>  >allow them to get back into your site without remember a password.
>  >
>  >-- Gunther
>  >
>  >At 01:34 PM 4/19/00 +0530, Differentiated Software Solutions Pvt. Ltd.
> wrote:
>  >>Hi,
>  >>
>  >>We are having a site which is programmed with perl/CGI.
>  >>To enter the site we have a login and password.
>  >>After which some reports are displayed.
>  >>
>  >>I know that using cookies it is possible to secure the site.
>  >>Can somebody guide me on how to design and implement a cookie based
>  >>security. Sites and books on same will be greatly appreciated.
>  >>
>  >>Would Apache::Session be useful for this ??
>  >>
>  >>Thanks for the help,
>  >>
>  >>Murali
>  >>
>  >>Differentiated Software Solutions Pvt. Ltd.,
>  >>176, Gr. Floor, 6th Main
>  >>2nd Block RT Nagar
>  >>Bangalore - 560 032
>  >>India
>  >>Ph: 91 80 3431470
>  >>email : diffs+AEA-vsnl.com
>  >>http://www.diffs-india.com
>  >>
>  >>Differentiated Software Solutions Pvt. Ltd.,
>  >>176, Gr. Floor, 6th Main
>  >>2nd Block RT Nagar
>  >>Bangalore - 560 032
>  >>India
>  >>Ph: 91 80 3431470
>  >>email : diffs+AEA-vsnl.com
>  >>http://www.diffs-india.com
>  >
>  >__________________________________________________
>  >Gunther Birznieks (gunther.birznieks@extropia.com)
>  >Extropia - The Web Technology Company
>  >http://www.extropia.com/



Jeff Beard
_______________________________
Web:		www.cyberxape.com
Phone:	303.443.9339
Location:	Boulder, CO, USA

Thread:

Differentiated Software Solutions Pvt. Ltd.

Manfred Dehnkamp

Gunther Birznieks

Jeff Beard

Adi