• you're using query string information to hold the authentication info? bad idea
• .htaccess files are the way to go if you just want to serve all content to valid users - and Apache works fine on windows if you have access to the machine.
• you can use seperate .htaccess files in each subdirectory to limit user access further, but this can get messy
• don't store passwords unencrypted in the database. at the very least, use crypt() to hide them, then compare a crypt of what the user enters as a password to what you have in the DB

If you're going to wrap serving the files in a Perl script, use cookies (stored in DB with username) to validate rather than password lookup for each page request. Something like this:

my $q=CGI->new();
if ($q->cookie('sessioncookie') {
    # check cookie exists in DB
    # serve page requested
}
elsif ($q->param('username')) {
    # check password OK, set session cookie 
    # and store cookie in DB
}
else {
    # show login form
}
[download]

.02

cLive ;-)

First, is to use HTTP basic (or NTLM) authentication against the Windows user database. This can tied into the NTFS file permissions. This doesn't work well when you want to store the users in the database and not have them exist outside the database.

Second, is to serve the content through a dynamic script. The script checks whatever mechanism you use to authenticate the users (ie cookie), and servers up the file. The URL can hide somewhat that there is a script: /files.cgi/some/dir/image.gif

Apache gives other ways to do authentication. There are Apache modules that can do authentication in many different ways including basic against database, and with cookies. Also, you can write mod_perl auth handlers that run Perl code. Apache::AuthCookie uses cookies. Apache runs quite well on Windows but the mod_perl support is not production quality.

Hey,

thanks for the quick replies.

I basically generate a session id and username and pass it through the scripts in the query. Each script would verify the session and username thats stored in the mysql db 'Members Online'. Is that considered bad security measures? Wouldn't this sort of be the same as using a cookie. Each content page would be PERL scripts displaying HTML and would still need some authentication coding, weither it be cookie or db authentication?

Would you guys say choosing the Apache on Windows using .htaccess would be the safest way to go or cookies/db authentication is safe enough? These files that are for members aren't really top knotch files that need to be secured, but as I continue to learn PERL, I want to get to the point where I'm familiar with security in your Perl scripts that incase some job comes along that requires it, I'll be confident enough to do so.

Also does anyone have suggestions on books for this type of subject?

Thank you,
Anthony

>Also does anyone have suggestions on books for this type of subject?

i can recommend a book published by o'reilly (who else?) about basic secure coding-prinicples.

Secure Coding: Principles & Practices. it tells you a lot about what causes security wholes and how you can prevent them. but it does not show you specific code (that's why it's called 'principles').

have fun!

• Use sessions. Learn about them, it's a very useful feature for your case. Maybe Apache::Session can do the trick for you, maybe not (not sure if works on Win32). Anyway, search CPAN about it.
• Another way of making unauthorized access hard is to test the HTTP_REFERER. This will tell you from where the user is coming to see the image, so you can restrain that the user must come from the image index page, for an example. Obviously you put a check in the image index page to see if the user is coming from the login screen.