in reply to user id

Not sure of the context in which youre working:
  1. making the script get the ID automatically
  2. user authentication

In the case of point one, there is no *real* safe way of explicitly identifying a user over the web without the use of authentication. If you are in a static IP env, then you may be able to use that method, however if you have a proxy in the middle, you'll get the proxy IP.

The other problem you will face is person A sitting at person B's desk - you dont know who is at the keyboard.

In the case of point 2 (authentication) its really quite simple. There are many examples of code out there that will do it.

Points to consider rolling your own authen method
  • Do use CGI.pm - its the best, the doco is good, and heaps of monks can help you.
  • Do use -T (in any CGI app you build). It is a well recognised method of making your application secure (when used 'correctly'), again many monks can help you with this.
  • What will you store the username/pwd combo in (txt, DBI et al)
  • How will you keep track of sessions (read, how will you generate, and where will you store your sess_id)

    Another thing i shout on about is the use of CGI::Application and HTML::Template. They provide a good solid framework for the production of scalable applications that are *easy* to change the look and feel of, and also plug new functionality into.

    Method for (simple) authen protocol (Typical course of events)

    1. display authen page
    2. user submits ID and pwd to cgi app
    3. cgi checks for invalid chars (such as ; \ | ` )
    4. cgi gets pwd based on supplied uname
    5. cgi encrypts pwd and compares to fetched pwd
    6. user is authenticated and resulting page is displayed
    Using a method like this, the actual password is never seen by anyone which makes it a little more secure. the down side is, if someone forgets their pwd, you can never get it back if you use something like md5 or sha1.

    You then also have to thing of things like administration (changing user pwds, adding/removing (l)users), password aging, transaction rate etc etc..

    If you are thinking of building a web app that will handle authentication, these things really shouldnt be out of scope, even for the 1st rev of your application. You want people to like, (and use) your application, ommiting (what i consider essential) features may not give your users the impression you are after.

    Even tho' this is big on theory with no examples (which i suspect you were after), I hope it provides a reasonable guide as to what you should consider when building CGI apps.

    • In Section Seekers of Perl Wisdom