Hi Fellow Monks, I am developing a script which is displayed after completion of payment process (the payment site calls my url with certain parameters),i verify that the payment got through and then i display a link for download of an exe file ,What i do is after verification i encrypt a cookie and then i display a html page with a link (which is another perl script).when that link is clicked i check for the cookie and then force download the exe ... is this safe ???or is there any better way of doing this ..and what is the best way of encrypting the cookie I use Crypt::CBC but it is a bit of problem installing These on windows machine also i have attached the module that is done by looking at an example in the mod_perl eagle book .. 

package Auth;

use CGI qw(:standard);
use CGI::Cookie ();
use MD5 ();
use Crypt::CBC ();

use constant COOKIE_NAME => 'Cname';
use constant SECRET => '0mn1um ex 0vum';

$CIPHER ||= Crypt::CBC->new(SECRET, 'IDEA');

sub set_cookie {
my $usrname=shift;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time
+);
$year = $year + 1900;
$mon++;
my $time = "$year$mon$mday$hour$min$sec";
$state=initialize($state,$time,$usrname);

print header(-cookie => save_state($state));

}


sub initialize {
    my $state = shift;
    my $time=shift;
    my $usrname=shift;

    $state = {} unless $state;
      $state->{TIME}     =$time ;

    $state->{USRNAME}  = $usrname;
    return $state;
}




# Check or generate the MAC authentication information
sub MAC {
    my($state, $action) = @_;
    return undef unless ref($state);
    my @fields = @{$state}{qw(TIME USRNAME)};
    my ($newmac) = MD5->hexhash(SECRET .
                MD5->hexhash(join '', SECRET, @fields));
    return $newmac eq $state->{MAC} if $action eq 'check';
    return $state->{MAC} = $newmac if $action eq 'generate';
    undef;
}

# Save the current state
sub save_state {
    my $state = shift;
    MAC($state, 'generate');  # add MAC to the state
    # encrypt the cookie
    my $encrypted = $CIPHER->encrypt_hex(join ':', %{$state});
    return CGI::Cookie->new(-name => COOKIE_NAME,
                -value => $encrypted,
                );
}


# Retrieve an existing state
sub get_state {
    my $cookie =  CGI::cookie(COOKIE_NAME);
    return undef unless $cookie;
    # decrypt the cookie
    my %state = split ':', $CIPHER->decrypt_hex($cookie);
    authentication_error() unless MAC(\%state, 'check');
    return \%state;
}

sub authentication_error {
print"<h4> Authentication error </h4>";


}



1;

[download]

In reply to Security using Encrypted cookies by mkirank

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.