comment on

I think a good, relatively easy, security model to implement is this:

Store user and password info in a database. Be sure to encrypt the password. If you're using mySQL, the password() function can do this for you.
Have the user login. Check the password against the info in the database.
Assuming login success, set a md5 encrypted cookie and store the cookie in a "valid users" table server-side. Use some kind of random, hard-to-guess info in the md5 cookie, like localtime() plus a random number and some random text. One other thing is to not set an expiration time on the cookie, so that it expires when the user closes the browser session. This will require a login each time someone wants to access an admin feature.
Because you have the cookie stored in a database, you can use this to authenticate across multiple scripts. You should also clear the stored cookies out of the database every day or so.
The biggest hole here is probably sending password/user info plain text via the WWW. Use SSL for the login page.
You can also have admin functions built into the same scripts used by non-admin folks, by denying functions to folks without a valid cookie in your database. This is a big strength of this system, your security isn't an "all or nothing" proposition.
There's a bunch of assumptions I'm making here- that you're using strict, untainting data properly, and have read all the great links the other monks have provided in this thread. This is the "devil in the details."

Make sure to take the time to learn CGI.pm for handling your cookies and other functions, you'll be glad you did.

While this system isn't perfect, it should work for a moderately secure app. I wouldn't trust it with anything that handles credit cards or the like, but it should work well for anything below that.

In reply to Re: Security by Hero Zzyzzx
in thread Security by Anonymous Monk

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.