User/Password Passing for a DB

kbradford has asked for the wisdom of the Perl Monks concerning the following question:

I have a web app that interfaces to multiple databases. Right now I'm struggling with a way to pass the username and password in a secure manner. Currently they are just passed as a variable to the next script something like: system_info.cgi?username=user&password=pass

This works, but is not secure at all because it displays this in the address bar. I was thinking of using a cookie to store the username and password for a session. Is this a decent idea for username/password transfers between scripts? It doesn't have to be super secure, but definately better than what I'm using now. :) If this is a good idea, are there any Perl modules for easy cookie management?

Also one other quick question. Is there any way to maintain user access to a database using a Perl module? I want to be able to create new users on a database or grant current ones new rights. I haven't been able to find any module that can do this. Anyone know of any?

Thanks,
Kevin

Comment on User/Password Passing for a DB

Replies are listed 'Best First'.
Re: User/Password Passing for a DB by echo (Pilgrim) on Aug 09, 2001 at 17:59 UTC
You seem to be doing CGI. Don't send user name and passwords over the wire. Instead, generate a session ID, and use that as a key to retrieve session information, such as username/password, from a file or database. Then you only need to pass around the session ID. You can do this with a cookie or appended to the scripts URL (in PATHINFO). Check out Apache::Session and Apache::AuthCookie.	[reply]
Re: User/Password Passing for a DB by arturo (Vicar) on Aug 09, 2001 at 18:07 UTC
I would NOT put the user/password information anywhere the user might get at it. Because, unless you're using SSL and you trust your users (and, let's face it, not really even then, because people will mess up sooner or later, no matter how well-intentioned), you're just giving away crucial security information. Switching to POST or cookies just puts a little lace doily over the information, and doesn't really provide any extra level of security. A first step would be to develop a unique identifier for each database connection, and have that information passed around; as long as you can figure out the user/pass combination for each identifier, you're golden, and you can keep the user/pass information on the server side. Even this doesn't make me fully happy, but what I'd think about is storing a list of database names and passwords (along with identifiers for each) in as secure a location as possible, and make sure only your script can access that list. You can use a DBMS for this, no problem, because you can establish multiple DBI connections in one script. Then, on each time the script runs, you get the connection's identifier (which could now be in the URL, or stored in a cookie ... the ID, without the user/pass, is less useful to crackers). Then use the ID to figure out which database the user needs access to. You then fetch, from your 'master' user/pwd list, the relevant information and establish a connection with that info. That's just off the top of my head, though. I'd want to let this idea simmer for a while (and allow other Monks to poke and prod at it), because I don't like the idea of putting all the goodies in one basket either. As to the second question: since every database handles admin tasks differently, probably not. At least I can't think of one off the top of my head. I'd do a search on CPAN, putting in the names of various DBMSes (the ones you use, obviously =) and see what pops up. I do know that there's a pretty useful tool called `phpMyAdmin` written in (of course) PHP and originally designed to allow you to administer a MySQL database over an HTTP interface. I don't know if anybody's ported that to Perl yet, or whether it's been extended to other DBMSes yet. HTH, and good luck! `perl -e 'print "How sweet does a rose smell? "; chomp ($n = <STDIN>); +$rose = "smells sweet to degree $n"; other_name = rose; print "$oth +er_name\n"'` [download]	[reply] [d/l] [select]
Re: User/Password Passing for a DB by suaveant (Parson) on Aug 09, 2001 at 17:57 UTC
Yes, setting up a session is a pretty common way to do this, and storing a session key in a cookie or in the url... I am not sure about modules... There may be some in the Apache namespace... dunno. Update yeah it looks like there is an Apache::Session module, but the docs are broke, so I'm not sure if it is what you want... If you even run apache... :) - Ant - Some of my best work - Fish Dinner	[reply]
(crazyinsomniac) Re: User/Password Passing for a DB by crazyinsomniac (Prior) on Aug 10, 2001 at 05:49 UTC
<merlyn> .."I've got an article on that." <merlyn> He'd say go here. I say, go to the enhanced version right away. I want my MTV... ___crazyinsomniac_______________________________________ `Disclaimer: Don't blame. It came from inside the void` `perl -e "$q=$_;map({chr unpack qq;H;,$_}split(q;;,qH*));print;$q/$q;"`	[reply]