It's true about attempting to snarf someone elses ID. There are a couple of packages out there generate pretty unique IDs. I use the current time in seconds plus the PID of the process of the perl instantiation when the user logged in.

This is kept in a mySQL table, along with the last time the ID was seen (each time a user accesses a page). Each time the script is called it checks to see if any of the IDs in the table are older than 15 minutes, and if they are, they're deleted. This (obviously) prevents stale IDs from being targettable. It also gives me an accounting log of people who actually logoff the application, versus leaving an unsecured PC on the network. As a side effect, it pretty much makes sure that the correct user is logged in (as opposed to sharing PCs), since the system is accessed a number of times a day, but not typically within a 15 minute user by two different users on the same PC (this is just an artifact of the local environment, and would not hold true for higher volume sights).

The system is vulnerable to packet sniffing on the local network, but truth be told, virtually no one around here is that proficient. Also, since we run on switches & routers, few people in the company can see other peoples traffic.

All in all, for my environment, it's pretty secure.

In reply to (jcwren) RE: (4): Passing CGI parameters on new CGI by jcwren
in thread Passing CGI parameters on new CGI by Michalis

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.