When member-only content is accessed, a second script, serveContent, is called, into which is passed the username, a crypted version of the password, and the page which the user is attempting to access, which again checks user authorisation and either displays the requested page or demands the user log in.

Please, correct me if I am not interpreting your words correctly. From what I understand, your navigation frame loads the pages by opening in the display frame an url of the form

https://whatever/cgi-bin/something?user=me&pass=secret.

If the tokens passed in the GET request are all you need to "authenticate" the user, then be aware that they may be stored in the history and automatic completion of the browser and may be passed as referer header to external sites accessed by the user from your pages.

A more correct (and standard) system requires passing to the client only a randomly generated token which is associated server-side to the userid. Urls become

https://whatever/cgi-bin/something?token=randomstuff

and the association token<-->user on the server expires after some time from its creation or from its last invocation. This prevents information from leaking to an attacker who has access to the client after the user.

Of course, this does not guarantee full security, but should be an improvement over your scheme.


Cheers

Antonio Bellezza

The stupider the astronaut, the easier it is to win the trip to Vega - A. Tucket

In reply to Re: Security in CGI and User Authentication by abell
in thread Security in CGI and User Authentication by Tanalis

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.