I've written a Perl/Tk
application that helps teachers keep track of their students' grades. So far, security is not that much of an issue, because the software runs locally on the teacher's machine. However, I do have a primitive provision for posting students' grades on the web so they can type in a password and see how they're doing in the course. The security is, admittedly, very low -- just one step above posting grades on your office door -- but presently it's not a big deal, since data only flows one way, from the teacher's machine to the web server. The worst consequence of a security breach is that someone finds out how someone else is doing in the class.
I have plans, however, to build a more ambitious suite of software, including things like online quizzes that would count towards the student's grade. For that, I'm going to need a more serious, systematic approach to security. I need to handle logins by both students and teachers, and I need to securely move larger amounts of data in both directions, not just from client to server.
I have a general idea of the techniques involved in doing this right, e.g., storing only encrypted passwords on the server, so that a person who gets access to the passwords file still can't use them for anything; using protocols like https and sftp, rather than http and ftp; checking for tricky stuff embedded in strings input to the CGI; etc. But I need some suggestions on how to learn more about the specifics of how to implement these things. Can anyone recommend a good book and/or a well-crafted open-source Perl CGI app that I could study for examples of these techniques?
I'm not really asking for complete explanations here, because this is obviously a very big topic. But here are some specific examples of the kind of information that I need pointers to:
- Net::SFTP isn't going to be a viable option for me, since it's too hard for my users to install. (Heck, it was too hard for me to install!) Is there a C alternative with the appropriate Perl interface?
- Http GET and POST are obviously not the right way to move large amounts of data (10-100k), or to do it securely. What's the alternative? How do you securely upload this amount of date to a subdirectory in the cgi-bin?
- There's obviously a lot of finicky stuff that one needs to take care of when users are logging in: letting them change their password if they've forgotten it; generating an error message if their browser doesn't allow the necessary mechanisms (JavaScript, cookies,...). Is there a good bulletproof package for this?
- In the past, I've written this kind of CGI login system for a lower-security system, and used a cookie to show that the person was logged in. This seems clearly wrong for a secure system, since they may forget to log out. Are hidden JavaScript variables the right way to do this? Again, I'd like to use a tested, canned package if possible.
Edited 2002-23-04 by Ovid
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.