Re: Implementing security in CGI :: ASPN Mail Archive

Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming

MyASPN >> Mail Archive >> modperl

modperl

Re: Implementing security in CGI
by Gunther Birznieks other posts by this author
Apr 20 2000 4:27PM messages near this date

Re: Implementing security in CGI | Re: Implementing security in CGI

Yeah it works on all the clients, but it's a pain in the ass to do relative 
URLs when manipulating PATH_INFO.  So it's not necessarily trivial to 
program and maintain unless you pass everything through a monolithic CGI.

Of course, on Apache it may be easier by using mod_rewrite to manipulate 
the URL itself in cool ways.

Another problem with non-cookies based is if the user leaves the website 
for a brief period and wants to come back. Of course, in this case, it may 
not be a requirement.

One thing I would add to support Manfred's stance on cookies is that not 
all clients support cookies ... eg PDAs, mobile phones... But, again, if 
you control your clientele maybe it doesn't matter.

However, as for users that hate cookies -- well, I think it's all over but 
the crying. I think cookies have kind of been forced in vogue by IIS/ASPs 
and Servlets doing session cookies by default... So a lot of developers 
(and there are a lot on ASPs that don't know what they are doing) program 
websites with ASPs and rely on cookies for session ids.

Later,
     Gunther

At 09:44 AM 4/20/00 +0200, Manfred Dehnkamp wrote:
> Hy,
> why do you use cookie's ??? A lot of people hate them.
> I think a much better Idea is to put your sessionID in the PathInfo
> of every requested URI.
> So after the login your CGI generates a SessionID. Lets say your
> CGI has the URI http://domain/mycgi.
> After the login the cgi's output is just a refresh HTML page :
> than if you have a "secure" html tree which the loggedin client will be
> able to use,  its very simple :
> alle hyperlinks within that tree must be referenced RELATIVE !!!
> So the browser will always put "mycgi/sessioniD" on "top" of every hyperlink
> !!!!!
> To make it secure : Your script needs to have its own "Documentroot"
> which is only readable by your cgi......
> (=> so your cgi has to read the pathinfo to get the sessionid and the 
> requested
> action/File. The file you have to read with your cgi. ...)
> Everytime the client ist "using" that sessionID you can "touch" it after
> checking it.
> Than you just need a garbagecollector which will destroy every sessionID after
> 5 (10,20...) Minutes wihout touch.
> I think that solution is much better than cookies : it works on EVERY 
> client !!!
> 
> (its of course possible to let the user sign out .. logout.. that should 
> destroy
> the session as well !!)
> 
> with kind regard
> 
> Manfred Dehnkamp
> 
> 

__________________________________________________
Gunther Birznieks (gunther.birznieks@extropia.com)
Extropia - The Web Technology Company
http://www.extropia.com/

Thread:

Differentiated Software Solutions Pvt. Ltd.

Manfred Dehnkamp

Gunther Birznieks

Jeff Beard

Adi