http://qs1969.pair.com?node_id=343518

JoeJaz has asked for the wisdom of the Perl Monks concerning the following question:

Hi, I am designing a web interface, using perl, to log into a remote telnet/ssh server and issue specific commands (i.e. the perl script is running on a CGI server other than the telnet/ssh server that I am trying to log into). I am now using cookies to store a user's login information and the name of the host that the script will log into. However, I am looking for a secure method to encrypt those cookies. Since I do not have access to a user database on the remote ssh/telnet server, I cannot use MD5 for a hash method (I would have no way to decrypt it or compare it to a password file on the remove ssh/telnet server). So basically, any type of encryption would have to take place on the CGI server itself. Does anyone happen to know a good way to encrypt cookies that is harder to crack than simply applying a hash of some unique phrase or something? I'm not sure if I described my situation very well, but I would be very greatful for any advice on cookie encryption. Thank you very much for reading this. Joe

Replies are listed 'Best First'.
Re: Perl Cookie Encryption
by BUU (Prior) on Apr 08, 2004 at 07:13 UTC
    Store the username/pw pairs on the cgi server itself, only store session information in the cookie.
[reply]
      Interesting. That might work for what I need. I'll look into that. Thanks, Joe
[reply]
Re: Perl Cookie Encryption
by ant9000 (Monk) on Apr 08, 2004 at 09:45 UTC
    Having the cookie data encrypted does you no good at all, since the cookie itself is exactly the token needed to gain access to the server: if I get your cookie, I have access even without the password in clear.
    You'd better rely on CGI:Session and build some more security into it, to make cross side scripting attacks more difficult. An easy way would be saving the remote IP together with browser signature inside the session, and rejecting any request not matching the stored info.
    HTH,
    Ant9000
[reply]
      An easy way would be saving the remote IP together with browser signature inside the session, and rejecting any request not matching the stored info

      The client's IP often changes in between requests. If the client's ISP is using a rotating proxy (which many big ISPs do), this is so common that it renders this approach unusable.

      There is no 100% secure and browser-independent way to prevent a stolen cookie being replayed by the thief, impersonating the user.

[reply]
        That's good to know. Cookies certainly seem to have their share of security holes. Looks like this isn't as easy as I originally thought. Nonetheless, it is a good learning experience. Thanks for your advice. Joe
[reply]
Re: Perl Cookie Encryption
by sgifford (Prior) on Apr 08, 2004 at 16:29 UTC

    Sure, there's all sorts of ways to do that. Essentially, you want to securely encrypt the cookie with a secret that only your script knows. That way only your script can decrypt the data in the cookie.

    The first thing you need is an encryption routine. There are several in the Crypt:: family that will do the job. Crypt::DES_EDE3, Crypt::Rijndael, or Crypt::IDEA are straightforward to use and widely believed to be secure. If you have a lot of data you want to encrypt (more than about 50 characters), you'll want to use Crypt::CBC to encrypt larger amounts (the encryption modules I suggested are block ciphers, and can only work on a chunks of data of a fixed size)

    That will encrypt your data; now you need to encode it in a way that it will make a reasonable cookie. MIME::Base64 is a good way to do that.

    So, if you create your cookie by encrypting it and base64-encoding it, to get the data back you'll simply base64-decode it, then decrypt it with the secret key, and you have the data back. I've done this for a few projects, and it works quite well.

[reply]
[d/l]
      Wow! That's great. I will give some of those modules a try right away. Thanks for sharing your process with me. Take care, Joe
[reply]
Re: Perl Cookie Encryption
by esskar (Deacon) on Apr 08, 2004 at 07:18 UTC
    maybe a good idea is to use two usernames and two passwords.
    the first username and password pair will be used to encrypt the cookie data (btw. you can't encrypt to whole cookie itself but you can encrypt the data that the gets filled with). This username, passwor pair will never be stored on the client; maybe you can put in a session object on the http-server-side as long as the user is logged in.
    then u use Crypt::TripleDES to encrypt and decrypt that data used to access the telnet/ssh server. (you can build a key for encryption like this "$username$password")

    but keep in mind, that this is not really secure but probably the highest security level you can get for your problem and still being easy to implement.
[reply]
      Hi. I understand that my situation may be a bit unique. I can only hope that I manage to tighten this script down a bit. It's my first experience with creating cookies. I like your dual password idea. I might just incorporate that into the config file (the admin sets the password to encrypt it with). Also, thanks for turning my eye toward the Crypt::TripleDES module. That will probably be a much nice solution rather than creating my own encryption algorithm. Thanks for your ideas. Take care, Joe
[reply]

Back to Seekers of Perl Wisdom