Re: Re: Is this a secure way to handle login?

The solution proposed in the original post looks like regular session management to me, and you could probably implement it without running into any problems. I don't know why you need to log the IP, though.

However, I second davis suggestion that you should go with a prebuilt module. Apache::Session totally rocks, and will let you store not only usernames and passwords, but any Storable object in you session variables. You have the choice of storing data in regular files, DB_File or several different databases, and the best part is that you don't need Apache; it will happily run under most web servers.

Also, you don't have to bother with generating random numbers for session ID's, as Apache::Session will do all this for you.

Cheers,
--Moodster

Comment on Re: Re: Is this a secure way to handle login?

Replies are listed 'Best First'.
Re: Re: Re: Is this a secure way to handle login? by perrin (Chancellor) on Mar 27, 2002 at 14:52 UTC
The numbers generated by Apache::Session are not random enough to be considered truly secure. If you really don't want people to forge session IDs you should use some kind of hashing scheme to generate a digest that you send out with your session ID. Then you can use that to verify that the ID has not been tampered with. This technique has been described in other threads here about session handling.	[reply]
Re: Re: Re: Is this a secure way to handle login? by aersoy (Scribe) on Mar 27, 2002 at 23:07 UTC
Hello. The method described here is not the same as regular session management. In the regular session management, the session id stays still during the session. Here, it is supposed to change on every page load. Update: It seems I'm the one who misunderstood the method. However, I think my method (creating a new ID on every page load) would be a bit more secure. -- Alper Ersoy	[reply]
Re: Re: Re: Re: Is this a secure way to handle login? by tipthepizzaguy (Initiate) on Mar 28, 2002 at 05:19 UTC
The method I discribed does keep the session ID constant during the session. The random number is created at login and does not change until the user logs in again.	[reply]