Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: Is this use of crypt() appropriate?

by Nomis52 (Friar)
on Nov 08, 2001 at 18:16 UTC ( [id://124061]=note: print w/replies, xml ) Need Help??


in reply to Is this use of crypt() appropriate?

I'm doing a similar thing but using a session id.
On sucessful login a session id is created using the following:
User name
HTTP User Agent
IP address <- can change paticularly with aol users and proxy servers
Day-of-the-year
and a "secret" constant string

This is fed to MD5 which computes the checksum of it and stores it in a cookie along with the users name.

Everytime a script is requested the session id is checked by re-creating the session id and comparing it to the one in the cookie.

For someone to fake a session id they need all of the above information including the "secret" string and what order i joined them together.

The logout is simple, just delete the session id from the cookie.

More secure IMOHO than sending any form of the password over the net to store in a cookie. (Remembering it was sent once when the user logged on but for that you should use ssl).

I found this site very usuful when putting this togeather. Good luck
Nomis52

  • Comment on Re: Is this use of crypt() appropriate?

Replies are listed 'Best First'.
Re: Re: Is this use of crypt() appropriate?
by Anonymous Monk on Nov 08, 2001 at 21:54 UTC
    Thanks Nomis, that is very helpfull.. would you be able to post some example code of the session in action? It would be very appriciated, many thanks
[reply]
      Ok this is how I did it. Note I'm very new to perl programming so this probably isn't the best way.
      Assuming you have authenticated the user (from a database or text file or where-ever), and $user is the user's id
      
use MD5 ;
    
my $md5 = new MD5 ;
$md5->reset ;

my $yday = (localtime)[7];

# create certificate / session id
my $certif = $user . $yday .  "do4k.g0" . $ENV{'HTTP_USER_AGENT'}  .  
+$ENV{'REMOTE_ADDR'} ;

# encrypt certificate
$md5->add($certif);
my $enc_cert = $md5->hexdigest() ;

# set cookie
print "Set-Cookie: SESSION=$enc_cert; path=/\n" ;
print "Set-Cookie: NAME=$user; path=/\n"  ;

# and continue
print "Content-type: text/html\n\n"  ;
print "Your logged In!"  ;

      [download]
      Then everytime the script is called get the certificate out the cookie and recreate a certificate and compare the two. 
      #  $session and $user came from cookie
use MD5 ;
    
my $md5 = new MD5 ;
$md5->reset ;

#create ceritficate
my $yday = (localtime)[7];
my $certif = $username . $yday . do4k.g0 . $ENV{'HTTP_USER_AGENT'}  . 
+ $ENV{'REMOTE_ADDR'}  ;

# encrypt Certificate
$md5->add($certif);
my $enc_cert = $md5->hexdigest() ;

#compare
if($enc_cert eq $session) {
   # we're logged in - run script ;
} else {
   # we're not logged in - disp error msg
}

      [download]
      And a logout can simply be done with a 
      print<<"END" ;
Set-Cookie: SESSION=; path=\
Set-Cookie: NAME=; path=\
Content-type: text/html

Your logged out now
END

      [download]
      It would probably be wise to set expiration times for the cookies. Using the $yday means each certificate will expire at midnight which could be a problem.

      Anyway I hope this helps
      Nomis52

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://124061]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others wandering the Monastery: (4)
As of 2024-04-18 18:11 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found