in reply to help with security info for web content

There are two ways to do authentication with IIS.

First, is to use HTTP basic (or NTLM) authentication against the Windows user database. This can tied into the NTFS file permissions. This doesn't work well when you want to store the users in the database and not have them exist outside the database.

Second, is to serve the content through a dynamic script. The script checks whatever mechanism you use to authenticate the users (ie cookie), and servers up the file. The URL can hide somewhat that there is a script: /files.cgi/some/dir/image.gif

Apache gives other ways to do authentication. There are Apache modules that can do authentication in many different ways including basic against database, and with cookies. Also, you can write mod_perl auth handlers that run Perl code. Apache::AuthCookie uses cookies. Apache runs quite well on Windows but the mod_perl support is not production quality.

  • Comment on Re: help with security info for web content

Replies are listed 'Best First'.
Re: help with security info for web content
by perleager (Pilgrim) on Mar 24, 2004 at 02:38 UTC
    Hey,

    thanks for the quick replies.

    I basically generate a session id and username and pass it through the scripts in the query. Each script would verify the session and username thats stored in the mysql db 'Members Online'. Is that considered bad security measures? Wouldn't this sort of be the same as using a cookie. Each content page would be PERL scripts displaying HTML and would still need some authentication coding, weither it be cookie or db authentication?

    Would you guys say choosing the Apache on Windows using .htaccess would be the safest way to go or cookies/db authentication is safe enough? These files that are for members aren't really top knotch files that need to be secured, but as I continue to learn PERL, I want to get to the point where I'm familiar with security in your Perl scripts that incase some job comes along that requires it, I'll be confident enough to do so.

    Also does anyone have suggestions on books for this type of subject?

    Thank you,
    Anthony
[reply]
      >Also does anyone have suggestions on books for this type of subject?

      i can recommend a book published by o'reilly (who else?) about basic secure coding-prinicples.

      Secure Coding: Principles & Practices. it tells you a lot about what causes security wholes and how you can prevent them. but it does not show you specific code (that's why it's called 'principles').

      have fun!
[reply]

In Section Seekers of Perl Wisdom