If you're already authenticating with HTTP authentication, I would stick with that rather than writing a bunch of state management stuff with cookies. This is all handled by the web server with HTTP auth, so I would see about protecting a subdirectory under /cgi-bin/ or reconfigure the server so that you can run your protected CGI scripts under the directory that you already have protected. I have never understood why sites insist on using all sorts of complex state management code and cookies with "authenticated" sessions when HTTP authentication will do all of this for them, giving the CGI script a nice friendly environment variable with the username. Plus you don't have to worry about invalidating URL's or having obfuscated keys showing up in access/referer logs for your server or sites you link to. It's all just a big headache, and unless you find a quality pre-written installation, it's not worth it. Stick with some form of HTTP authentication and you'll have much less headache. Of course, either mechanism, as another poster mentioned, is susceptible to monitoring by a 3rd party, which is why you'd want to use SSL if you're concerned about this. Unless you're trafficking sensitive data, I wouldn't worry.

In reply to Re: Security: Cookies vs HTTP authentication by Fastolfe
in thread Security: Cookies vs HTTP authentication by rodry

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.