Best methods of http authentication

neilwatson has asked for the wisdom of the Perl Monks concerning the following question:

I've been doing some reading about http authentication. My goal for a website I'm designing is to have certain users login to gain write access to a database. Using Mason, I've been thinking about how to go about this:

Have autohandler check for an a session cookie. What should the cookie contain?
If there is no session cookie the user will be prompted to login. The password will be encrypted and stored in a database using this method.

Other than using htaccess in Apache I've not had much experience with authentication. Any and all suggestions would be appreciated.

Neil Watson
watson-wilson.ca

Comment on Best methods of http authentication

Replies are listed 'Best First'.
Re: Best methods of http authentication by valdez (Monsignor) on Oct 29, 2003 at 16:25 UTC
I will not answer your questions directly, there are at least two book that describe what you need: Chapter 6 of Eagle book and Chapter 11 of Mason book, both about authentication and authorization with mod_perl and Mason. Enjoy :) Ciao, Valerio	[reply]
Re: Best methods of http authentication by erasei (Pilgrim) on Oct 29, 2003 at 16:13 UTC
I've written a couple of different methods for http(s) authentication and looked at a few more. I'm using the cookie method currently, and it's working pretty well on the small (200 or so) user base that this tool supports. I store a username and unix crypt password with a predetermined random string (example: erasei:-FOOBAR-:n31s9xyn4A) which is blowfish encrypted. That is what I store in the cookie. Then I store a set of username/crypted passwd combinations in a database and then compare the two crypted passwords, the random string, and syntax of the string during authentication. This method allows me to also store an access level in the database that will allow or disallow access to certain sections/pages of the tool based on username; something that htaccess doesn't allow us to do. Also, I have looked into using mod_auth_msql but just haven't taken the time to fully research it yet.	[reply]
Re: Best methods of http authentication by hardburn (Abbot) on Oct 29, 2003 at 17:06 UTC
I usually use a globally unique user ID (see Data::UUID) as a session id. This session ID then points to a specific user in the web server's database. ---- I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident. -- Schemer `: () { :\|:& };:` Note: All code is untested, unless otherwise stated	[reply] [d/l]