Machiavellian Monks,

Basic situation - an online user interface form asks the user for an ID# to sign in. The input ID# is checked against a MySQL DB, and if valid, the user is given access to another page for updating their personal information.

Here's what I've done for security:

• the Perl script that receives the ID# form first checks the referrer, accepting only the url of the form page

• ID numbers all have a specific, safe, format, which the script checks for and accepts only validly formed input

• ID#'s are stored in the DB encrypted by Perl's built-in crypt() function, so the script then encrypts the input ID# and executes a SELECT for ID = encrypted-ID to confirm it's a valid one and who it belongs to

• the script then generates a 20-character session ID, encrypts it using Perl's built-in crypt() function, and stores it and the current date-time temporarily in the usr's record in the DB.

• the returned page has the un-encrypted session ID in a hidden form field

• When the second form is submitted, the user input goes through some sanitation, the session-ID is checked for the proper format (20-char string, a-zA-Z0-9), then encrypted, then a SELECT run on session-id = encrypted-session-id to confirm this is a valid session, and checks the current date-time to teh stored date-time for that session to be sure it hasn't been too long since the session start

This not a banking site or anything like that - I need "pretty good security", not CIA-proof security. So I have couple of questions:

1. Does this sound reasonable?

2. I'm aware of the problem with using crypt() on 20-character session-id's. Already noticed that if two session ID's are different by only the last few characters, I get the exact same encrypted value - what to do?

Thanks

---

In reply to Using crypt for 'reasonably' secure session management w/DB by punch_card_don

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":

---

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

• How do I compose an effective node title?
• How do I post a question effectively?
• Markup in the Monastery

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		&
	<		&lt;
	>		&gt;
	[		&#91;
	]		&#93;

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.