Re: Is this use of crypt() appropriate?

I'm doing a similar thing but using a session id.
On sucessful login a session id is created using the following:
User name
HTTP User Agent
IP address <- can change paticularly with aol users and proxy servers
Day-of-the-year
and a "secret" constant string

This is fed to MD5 which computes the checksum of it and stores it in a cookie along with the users name.

Everytime a script is requested the session id is checked by re-creating the session id and comparing it to the one in the cookie.

For someone to fake a session id they need all of the above information including the "secret" string and what order i joined them together.

The logout is simple, just delete the session id from the cookie.

More secure IMOHO than sending any form of the password over the net to store in a cookie. (Remembering it was sent once when the user logged on but for that you should use ssl).

I found this site very usuful when putting this togeather. Good luck
Nomis52

Comment on Re: Is this use of crypt() appropriate?

Replies are listed 'Best First'.
Re: Re: Is this use of crypt() appropriate? by Anonymous Monk on Nov 08, 2001 at 21:54 UTC
Thanks Nomis, that is very helpfull.. would you be able to post some example code of the session in action? It would be very appriciated, many thanks	[reply]
Re: Re: Re: Is this use of crypt() appropriate? by Nomis52 (Friar) on Nov 09, 2001 at 05:36 UTC
Ok this is how I did it. Note I'm very new to perl programming so this probably isn't the best way. Assuming you have authenticated the user (from a database or text file or where-ever), and $user is the user's id `use MD5 ; my $md5 = new MD5 ; $md5->reset ; my $yday = (localtime)[7]; # create certificate / session id my $certif = $user . $yday . "do4k.g0" . $ENV{'HTTP_USER_AGENT'} . +$ENV{'REMOTE_ADDR'} ; # encrypt certificate $md5->add($certif); my $enc_cert = $md5->hexdigest() ; # set cookie print "Set-Cookie: SESSION=$enc_cert; path=/\n" ; print "Set-Cookie: NAME=$user; path=/\n" ; # and continue print "Content-type: text/html\n\n" ; print "Your logged In!" ;` [download] Then everytime the script is called get the certificate out the cookie and recreate a certificate and compare the two. `# $session and $user came from cookie use MD5 ; my $md5 = new MD5 ; $md5->reset ; #create ceritficate my $yday = (localtime)[7]; my $certif = $username . $yday . do4k.g0 . $ENV{'HTTP_USER_AGENT'} . + $ENV{'REMOTE_ADDR'} ; # encrypt Certificate $md5->add($certif); my $enc_cert = $md5->hexdigest() ; #compare if($enc_cert eq $session) { # we're logged in - run script ; } else { # we're not logged in - disp error msg }` [download] And a logout can simply be done with a `print<<"END" ; Set-Cookie: SESSION=; path=\ Set-Cookie: NAME=; path=\ Content-type: text/html Your logged out now END` [download] It would probably be wise to set expiration times for the cookies. Using the $yday means each certificate will expire at midnight which could be a problem. Anyway I hope this helps Nomis52	[reply] [d/l] [select]