Each time a user goes to a new page in my CGI-based site, the script calls up a big lump of info about this session from a db. What I plan to do is, for a properly logged-on user, send with each page a field containing a randomly generated string. When that string gets submitted, the script checks it against the db; if there is a match, it pulls out the info, and then changes the random string and sends back the new string. If there is no match, then I know that this is not a logged in user.

I have a few questions about this:

Am I right in thinking this is more secure that htpasswd (if done properly) in that each "password" only exists for a single transaction in the session - my limited understanding, which may be wrong, is that this makes it harder to sniff than $ENV{'REMOTE_USER'}.

Is there any advantage in encrypting the random string? - it seems like there must be, but given that each string only gets used once, I can't see that it's any harder to spoof when unencrypted.

Assuming I shd encrypt it, what's your recommended encryption module - there seems to be a bewildering array of them in CPAN

In generaly, am I barking up the wrong tree (or just plain barking) with this? I'm pretty ignorant abt security, so please don't refrain from telling me something because you think I'll already know it!

Many thanks, sibling monks.

§ George Sherston

---

In reply to Secure State Maintenance by George_Sherston

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":

---

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

• How do I compose an effective node title?
• How do I post a question effectively?
• Markup in the Monastery

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		&
	<		&lt;
	>		&gt;
	[		&#91;
	]		&#93;

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.